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Abstract. We study the underlying mathematical properties of various 
partial order models of concurrency based on transition systems, Petri 
nets, and event structures, and show that the concurrent behaviour of 
these systems can be captured in a uniform way by two simple and gen- 
eral dualities of local behaviour. Such dualities are used to define new 
mu-calculi and logic games for the analysis of concurrent systems with 
partial order semantics. Some results of this work are: the definition of 
a number of mu-calcuU which, in some classes of systems, induce the 
same identifications as some of the best known bisimulation equivalences 
for concurrency; and the definition of (infinite) higher- order logic games 
for bisimulation and model-checking, where the players of the games are 
given (local) monadic second-order power on the sets of elements they 
are allowed to play. More specifically, we show that our games are sound 
and complete, and therefore, determined; moreover, they are decidable in 
the finite case and underpin novel decision procedures for bisimulation 
and model-checking. Since these mu-calculi and logic games generalise 
well-known fixpoint logics and game-theoretic decision procedures for 
concurrent systems with interleaving semantics, the results herein give 
some of the groundwork for the design of a logic-based, game-theoretic 
framework for studying, in a uniform way, several concurrent systems re- 
gardless of whether they have an interleaving or a partial order semantics. 

Keywords: Modal and temporal logics; Petri nets, event structures, TSI 
models; Bisimulation and model-checking; Logic games for verification. 

1 Introduction 

Concurrency theory studies the logical and mathematical foundations of paral- 
lel processes, i.e., of systems composed of independent components which can 
interact with each other and with an environment. These systems can be anal- 
ysed by studying the formalisms (logics and methodologies) employed to specify 
and verify their properties as well as the mathematical structures used to repre- 
sent their behaviour. Such formalisms and structures make use of models of two 
different kinds: interleaving or partially ordered. This semantic feature is partic- 
ularly important as most logics, tools, and verification techniques for analysing 
the behaviour of concurrent systems have to take this difference into account. 
This is sometimes an undesirable situation since it obscures our understanding of 
concurrent computations and divide research efforts in two different directions. 
Here we report on some work towards the definition of theories and verification 
techniques for analysing different models for concurrency in a uniform way. 



This study focuses on core issues related to mu-calculi (fixpoint extensions of 
modal logic, in this case) and infinite logic games for concurrency. In particular, 
using a game-theoretic approach, we study fixpoint modal logics with partial 
order models as well as their associated bisimulation and model-checking prob- 
lems. Our results show that generalisations (to a partial order setting) of some of 
the theories and verification techniques for interleaving concurrency can be used 
to address, uniformly, the analysis of concurrent systems with both interleaving 
and partial order semantics. Some of our particular contributions are as follows. 

We first study the relationships between logics and equivalences for concur- 
rent systems with partial order semantics purely based on observable 'local du- 
alities' between concurrency and confiict, on the one hand, and concurrency and 
causality on the other. These dualities, which can be found across several partial 
order models of concurrency, are mathematically supported in a beautiful way 
by a simple axiomatization of concurrent behaviour. Although the dualities and 
axiomatization are defined with respect to partial order models of concurrency, 
such dualities and axiomatization have a natural interpretation when consider- 
ing concurrent systems with interleaving semantics such as transition systems 
(or their unfoldings) since they appear as particular instances of our framework. 

We also define a logical notion of equivalence for concurrency tailored to be 
model independent. We do so by defining a number of fixpoint modal logics whose 
semantics are given by an intermediate structure called a 'process space', which 
is a mathematical structure intended to be used as a common bridge between 
the particular models of concurrency under consideration. Roughly speaking, 
a process space is a structure that contains the local partial order behaviour 
of a concurrent system, and is built using the local dualities mentioned above. 
Then, following this approach, two concurrent systems, possibly with models of 
different kinds, can be compared with each other within the same framework by 
comparing logically their associated process spaces. 

Moreover, some of the bisimulation equivalences induced by these logics coin- 
cide with the standard bisimilarities both for interleaving and for causal systems, 
namely with Milner's strong bisimilarity (sb [20') and with history-preserving 
bisimilarity (hpb [42]), respectively. The latter result holds when restricted to a 
particular class of concurrent systems, which we currently call the class of S- 
systems. We also define a new bisimulation equivalence, which (on S'-systems) is 
strictly stronger than hpb and strictly weaker than hereditary history-preserving 
bisimilarity (hhpb [22]), one of the specializations of the abstract notion of bisim- 
ulation equivalence defined by Joyal, Nielsen, and Winskel using open maps [22] . 

We also study the model-checking problem for these logics against the models 
for concurrency we consider here. The outcome of this is a generalisation of the 
local mo del- checking games defined by Stirling [46] for the mu-calculus (£^ [24]). 
This new game-based decision procedure is used for the temporal verification of 
a class of regular event structures [SO] , and thereby, we improve previous results 
in the literature |27l40j in terms of temporal expressive power. We do so by 
allowing a free interplay of fixpoint operators and local monadic second- order 
power on the sets of elements that can be described within the logics. 
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The distinctive feature of the (infinite) logic games we define in order to 
address the bisimulation and mo del- checking problems we have described is that 
through their formal definition we move from a traditional setting where both 
players, namely a "Verifier" Eve (3) and a "Falsifier" Adam (V), have first-order 
power on the elements available in the locality where they are to play, to a more 
complex setting in which the players are provided with higher-order power on the 
sets of elements they are allowed to play. From a more computational viewpoint, 
we show that despite their higher-order features both logic games are sound and 
complete, and therefore, determined; moreover, they are also decidable when 
played on finite systems allowing for possible practical implementations. 

The structure of the document is as follows. Section [2] introduces some back- 
ground on the models for concurrency, fixpoint modal logics, and bisimulation 
and model-checking games of our interest. In Section [3] we define the local du- 
alities recognisable in several (partial order) models for concurrency as well as 
the fixpoint modal logics that can be extracted from such dualities; here we 
also study the bisimulation equivalences induced by some of the modal logics 
defined in this section making no use of any game-theoretic machinery. Then, in 
Sections [4] and [5l we introduce the higher-order logic games that characterise, 
respectively, the bisimulation and mo del- checking problems of the logics defined 
in the previous section; we also show their correctness and applications as de- 
scribed before. Finally, in Section [5] a summary of related work is given, and in 
Section [7] we provide some concluding remarks and directions for further work. 

2 Preliminaries 

In this section we study the models for concurrency of our interest, together with 
background material on the modal logics and games for verification that are rele- 
vant to the work presented in this document. We also discuss some relationships 
between the models for concurrency that are studied here as well as between 
the equivalences induced by the modal logics presented in this section and the 
equivalences for concurrency considered in this and forthcoming sections. 

2.1 Partial Order Models of Concurrency 

In concurrency there are two main semantic approaches to modelling concurrent 
behaviour, either using interleaving or partial order models for concurrency. On 
the one hand, interleaving models represent concurrency as the nondeterministic 
combination of all possible sequential behaviours in the system. On the other 
hand, partial order models represent concurrency explicitly by means of an in- 
dependence relation on the set of actions, transitions, or events in the system 
that can be executed concurrently. 

We are interested in partial order models for various reasons. In particular, 
because they can be seen as a generalisation of interleaving models as explained 
later. This feature allows us to define the logics and games developed in further 
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sections in a uniform way for several different models for concurrency, regardless 
of whether they are used to provide interleaving or partial order semantics. 

In the following, we present the three partial order models for concurrency 
that we study here, namely Petri nets, transition systems with independence, and 
event structures. We also present some basic relationships between these three 
models, and how they generalise some models for interleaving concurrency. For 
further information on models for concurrency and their relationships the reader 
is referred to |35I43) where one can find a more comprehensive presentation. 

Petri Nets. A net A/" is a tuple {P,C,R,9,S), where P is a set of places, 
C is a set of actions, i? C (P x C) U (C x P) is a relation between places and 
actions, and 6* is a labelling function 9 : C ^ S from actions to a set S of action 
labels. Places and actions are called nodes; given a node n £ P U C, the set 
*n — {x \ {x,n) G R} is the preset of n and the set n* = {y \ {tljj) E R} is the 
postset of n. These elements define the static structure of a netjj The notion of 
computation state in a net (i.e., its dynamic part) is that of a 'marking', which 
is a set or a multiset of places; in the former case such nets are called safe. 
Hereafter we only consider safe nets. 

Definition 2.1 A Petri net Da is a tuple (A/", Mq), where Af = (P, C, R, 9, S) 
is a net and AIq C P is its initial marking. < 

As mentioned above, markings define the dynamics of nets; they do so in the 
following way. We say that a marking M enables an action t iS *t C M. If t is 
enabled at M, then t can occur and its occurrence leads to a successor marking 
M', where M' = {M\'t) Uf, written as M \ M' . Let 4 be the relation 
between successor markings and let — >* be its transitive closure. Given a Petri 
net — {Af, Mq), the relation — >* defines the set of reachable markings in the 
system DT; such a set of reachable markings is fixed for any pair (A/", Afo), and 
can be constructed with the occurrence net unfolding construction defined by 
Nielsen, Plotkin, and Winskel 05 • 

Finally, let par be the symmetric independence relation on actions such that 
ti par t2 iff *i* n 't* = 0, where 't' stands for the set 'tUt' , and there exists a 
reachable marking M such that both 'ti C M and '^2 ^ M. Then, if two actions 
ti and ^2 can occur concurrently they must be independent, i.e., (^1,^2) £ P3i'- 

Transition Systems with Independence. A labelled transition system (LTS) 
is an edge- labelled graph structure. Formally, an LTS is a tuple (5, T, S), where 
5 is a set of vertices called states, Z" is a set of labels, and PCS'xZ'xS'isa set 
of I7-labelled edges, which are called transitions. A rooted LTS is an LTS with a 
designated initial state sq € S. A transition system with independence is a rooted 
LTS where independent transitions can be explicitly recognised. Formally: 

^ The reader acquainted with net theory may have noticed that we use the word 'ac- 
tion' instead of 'transition', more common in the literature on (Petri) nets. We have 
made this choice of notation in order to avoid confusion later on in the document. 
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Definition 2.2 A transition system with independence (TSI) T is a tuple 
{S, So, T, /, 2J), where S* is a set of states with, initial state sq, T S x S x S 
is a transition relation, is a set of labels, and / C T x T is an irreflexive 
and symmetric relation on independent transitions. The binary relation -< on 
transitions defined by 

(s,a, si) -< (s2,a,(?) <t4> 
3b.{s, a, si)/(s, 6, S2) A (s, a, si)/(si, &, g) A (s, 6, S2)/(s2, a, q) 

expresses that two transitions are 'instances' of the same action, but in two 
different inter leavings. We let ~ be the least equivalence relation that includes 
-<, i.e., the reflexive, symmetric, and transitive closure of -<. The equivalence 
relation ~ is used to group all transitions that are instances of the same action 
in all its possible interleavings. Additionally, / is subject to the following axioms: 

- Al. (s, a, si) ~ (s, a, S2) ^ si — S2 

- A2. (s, a, si) / (s, b, S2) => 3q.(s, a,si) I {si,b, q) A (s, &, S2) I (s2, a, q) 

- A3, (s, a, si) I (si, 6, q) =► 3s2.(s, a, si) / (s, b, S2) A (s, &, S2) / (s2, a, <?) 

- A4. (s, a, Si)(^ U ^)(s2,a,q) I {w,b,w') (s, a, si) / {w,b,w') < 

Axiom Al states that from any state, the execution of a transition leads 
always to a unique state. This is a determinacy condition. Axioms A2 and A3 
ensure that independent transitions can be executed in either order. Finally, A4 
ensures that the relation / is well defined. More precisely, A4 says that if two 
transitions t and t' are independent, then all other transitions in the equivalence 
class [t]^ (i.e., all other transitions that are instances of the same action but in 
different interleavings) are independent of t' as well, and vice versa. Having said 
that, an alternative and possibly more intuitive definition for axiom A4 can be 
given. Let 3{t) be the set {t' \ t I t'}. Then, axiom A4 is equivalent to this 
expression: A4'. t ^ t2 ^ = 'J{t2)- 

This axiomatization of concurrent behaviour was defined by Winskel and 
Nielsen [3S], but has its roots in the theory of traces notably developed by 
Mazurkiewicz for trace languages, one of the simplest partial order models for 
concurrency. As shown in Figure [I] this axiomatization can be used to generate 
a 'concurrency diamond' for any two independent transitions t and t' . 




Fig. 1. The 'concurrency diamond' for t I t' , where t = {s,a,si) and t' = 
(5,6,52). Concurrency is depicted with the symbol / inside the square. The 
initial state is o. 
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Event Structures. An event structure is a possibly labelled partially ordered 
set (poset) together with a binary relation on such a set. Formally: 

Definition 2.3 A labelled event structure f is a tuple {E, =4, jj, 77, S), where E 

is a set of events that are partially ordered by =<;, the causal dependency relation 
on events; events in a labelled event structure are 'occurrences' of actions in a 
system. Moreover, r] : E ^ S isa. labelling function from events to a set of labels 
E, and ji C x is an irreflexive and symmetric conflict relation such that the 
following two conditions hold: (1) if 61,62,63 G E and 6itt62 63, then ei'^e^; 
and moreover (2) \/e G E the set {e' £ E \ e' ^ e} is finite. < 

The independence relation on events is defined with respect to the causal 
relation =^ and conflict relation ft on events. Two events ei and 62 arc said to 
be concurrent with each other, denoted by 61 co 62, iff 61 62 and 62 51^ 61 
and -'(eit)e2). The notion of computation state for event structures is that of a 
'configuration'. A configuration C is a confiict-frcc set of events (i.e., if 61,62 G 
C, then -'(6itt62)) such that if 6 G C and e' =4 e, then e' G C. The initial 
configuration (or initial state) of an event structure £ is by definition the empty 
configuration {}. Finally, a successor configuration C" of a configuration C is 
given by C" = C U {6} such that e ^ C. Write C ^ C for this relation, and let 
— >* be defined similar to the Petri net case. 

A Uniform Representation. Despite being different informatic structures, 
the three models for concurrency just presented have a number of fundamental 
relationships between them, as well as with some models for interleaving concur- 
rency. More precisely, TSI are noninterleaving transition-based representations 
of Petri nets, whereas event structures are unfoldings of TSI. This is analogous 
to the fact that LTS are interleaving transition-based representations of Petri 
nets while trees are unfoldings of LTS. 

There are also simple relationships between TSI and LTS as well as between 
event structures and trees as follows: LTS are exactly those TSI with an empty 
independence relation / on transitions, and trees are those event structures with 
and empty relation co on events. In this way, partial order models can generalise 
the most important interleaving models in concurrency (and in program verifi- 
cation), namely LTS, trees, and Kripke structures (which are the vertex-labelled 
counterparts of LTS models). 

Since the results presented in further sections are valid across all the models 
previously mentioned, it is convenient to fix some notations to refer unambigu- 
ously to any of them. To this end, we use the notation coming from the TSI 
model and present the maps that determine a TSI model based on the prim- 
itives of Petri nets and event structures. Also, with no further distinctions we 
use the word 'system' when referring to any of these models or to sub-models of 
them, e.g., to LTS or Kripke structures. 

The main reason for our choice of notation is that the basic components of a 
TSI can be easily and uniformly recognised in all the other models studied here. 
Thus, the translations are simple and direct. Also, this generic setting allows one 
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to see more clearly that the axiomatization presented for TSI also holds for the 
other partial order models when analysing their local behaviour. 

Petri Nets and Event Structures as TSI Models. A Petri net 91 = (TV, Mq), where 
Af = (P, C, R, 9, E) is a net as defined before and Mq is its initial marking, can 
be represented as a TSI T = (S*, sq, T, J, S) in the following way: 

S = {M (ZP\ Ma — >* M} 

T = {(M, a, M') \3teC. a = 9{t),M 4 M'} 
I = mh,a,Mi)AM2,b,M^,)) I 3(ii,t2) e par. 

a = 9iti),b^eit2),Mi ^M{,M2 ^ Af^} 

where the set of states S of the TSI T represents the set of reachable markings of 
91, the initial state sq is the initial marking Mq, the set of labels U remains the 
same, and T and I have the expected derived interpretations. Similarly, an event 
structure £ = {E, ^, ji, rj, E) determines a TSI T = (5', sq: /, Z") by means of 
the following mapping: 

S = {C(ZE\{} C} 
T = {{C, a, C) I 3eeE.a = r?(e), C A C'} 
I ={((Ci,a,C(),(C2,6,C^)) I 3(ei,e2) eco. 
a = ri{ei),b = ry(e2), Ci ^ C^, ^ 

where the set of states S is the set of configurations of £, the initial state sq is 
the initial configuration {}, and, as before, the set of labels E remains the same 
in both models, and T and / have the expected derived TSI interpretations. 

Notice that actions in a Petri net, transitions in a TSI and events in an event 
structure are all different. As said before, transitions are instances of actions, 
i.e., are actions relative to a particular interleaving. For instance, a Petri net 
composed of two independent actions (a || 6 in CCS notation [21]) is represented 
by a TSI with four different transitions, since there are two possible interleavings 
in such a system, namely ai.&2 and &i.a2. Therefore each action in the Petri net 
for a II 6 becomes two different transitions in the corresponding TSI. 

On the other hand, events are occurrences of actions, i.e., are actions relative 
to the causality relation. For instance, the Petri net representing the system 
defined by (a + b).c, where a + 6 is the nondeterministic choice between actions 
a and 6, and . is the sequential composition of such a choice with the action c, is 
represented by four events, instead of only three, because there are two different 
causal lines for the execution of action c, namely a.ci and 6.C2. Then, the Petri 
net action c becomes two events ci and C2 in the corresponding event structure. 

Notation 2.4 Given a transition t = (s, a, s'), also written as s A s' or s A s' 
if no confusion arises, we have that: state s is called the source of i, and write 
a{t) = s; state s' is the target of t, and write r(i) = s'; and a is the label of t, 
and write S{t) = a. <s 

Remark 2.5 The systems we study here may be finite or infinite, and this 
is always explicitly stated. However, they all are 'image- finite', i.e., of finite 
branching. <i 
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2.2 Modal Logic and the Mu-Calculus 



In this paper we study modal logics based on the mu-calculus (and the mu- 
calculus itself) since it can be used to express both linear-time and branching- 
time temporal properties. But first, we review Hennessy-Milner logic (HML |20j). 
a precursor modal language to the mu-calculus, which has played a major role 
in computer science, and especially in the specification of properties of concur- 
rent systems. Then we turn our attention to the modal mu-calculus simply by 
adding fixpoint operators to HML. After that we look at the logical equivalences 
induced by these logics and how they have been used as equivalences for con- 
currency. See [8|47j for further information on modal logics, the mu-calculus, or 
the equivalences induced by such logics. 

Hennessy-Milner Logic. HML is a modal logic of actions that has its roots 
in the study of process algebras for concurrent and communicating systems. It 
was intended as an alternative approach to the formalisation of the notion of 
'observational equivalence' for concurrent systems. As usual for modal logics, 
HML formulae are interpreted over the set of states of a system. 

Definition 2.6 Hennessy-Milner logic (HML [20]) has formulae is built from 
a set U of labels a,b, ... by the following grammar: 

::= ff I tt I A 02 I 01 V 02 I (a)0i | [a] 0i 

where ff and tt are the false and true boolean constants, respectively, A and V 
are boolean operators, and (a)0i and [a] 0i are the modalities of the logic. < 

The meanings of ff, tt. A, and V are the usual ones. On the other hand, the 
semantics of the 'diamond' modality (a)0i is, informally, that at a given state it 
is possible to perform an a-labelled action to a state where 0i holds; and dually 
for the 'box' modality [a]0i. Following [?7], we give the denotation of HML 
formulae inductively using an LTS. The semantics of HML is as follows: 

Definition 2.7 An HML model 1 of a formula is an LTS {S,T,X;). The 
denotation ||0|| '^ of a formula is given as follows (omitting the superscript T): 

||ff|| =0 
||tt|| 

1101 A02II = ||0i|| n II02II 

1101 V02II = ||0l|| U II02II 

||(a)0i|| = {.s e S* I 3s'. s^s' As' e ||0i||} 
II [a] 01 It = {s e S* I Vs'. s A s' =^ s' G 1101 11} 

The satisfaction relation ^ is defined in the usual way: s|=0iffsG||0||. <i 

One of the most interesting properties of HML is that it characterises 'bisim- 
ilarity' [20], the equivalence relation induced by modal logic. A bisimulation 
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between two rooted systems Ti and T2 with initial states sq and qo, respec- 
tively, is an equivalence relation such that sq '^i, go ifj a-nd only if, they 
satisfy the same set of HML formulae. Then, we say that the two states sq and 
go (or equivalently the two rooted systems Ti and T2) are bisimilar iff there is 
a bisimulation equivalence between them. 

HML was initially defined as an alternative approach to understanding pro- 
cess equivalence in the context of CCS; Milner and Hennessy [20j showed that if 
two CCS processes are bisimilar, or in their words "observationally equivalent" , 
then they satisfy the same set of HML formulae. They found, therefore, a corre- 
spondence between the logical equivalence induced by HML and an equivalence 
for concurrency (bisimilarity or observational equivalence in this case), modulo 
LTS, the class of models used for giving the semantics of CCS expressions. 

Even though HML is quite a natural logic for studying process equivalences, it 
is not so much as a specification language, since it cannot express many temporal 
properties. Due to this, stronger logics have been studied. We now review one of 
such logics, the modal mu-calculus, which has strong connections to HML and 
a beautiful theory based on the addition of fixpoint operators to modal logic. 

Fixpoints and the Modal Mu-Calculus. Fixpoint logics or mu-calculi [81 are 
logics that make use of fixpoint operators; in particular, the modal mu-calculus 
is a simple extension of modal logic with fixpoint operators. The mu-calculus as 
we use it nowadays was defined by Kozen [25: but it can also be seen as HML 
with fixpoint operators. The use of fixpoints in program logics was, however, not 
new by the time the mu-calculus was proposed. It actually dates back at least 
to Park [36] already in the context of program verification. 

In informatics, and especially in concurrency and systems verification, the 
main motivation for extending a logic with fixpoint operators is the ability to 
express and study temporal properties of systems, this is their (possibly infinite) 
behaviour. In the reminder of this section we describe the mu-calculus, but before 
giving a formal presentation of it let us state some concepts and results that 
relate to fixpoints in general and their ubiquity in lattices and ordered structures. 

Fixpoints in Ordered Structures. Fixpoints can be seen as equilibrium points. 
Their definition is simple: given a function /, we say that a; is a fixpoint of / iff 
X — f{x); it is a pre-fixpoint of / if f{x) < x and a post-fixpoint if x < f{x). As 
we shall see, fixpoint theory is rather useful in logic when / is monotonic and its 
domain is a complete lattice. Before stating one of the results on fixpoints that 
is relevant to this work, let us introduce some ordered structures. 

A partially ordered set (poset) {A, <) is a set A together with a refiexive, 
transitive and anti-symmetric relation < on its elements. A lattice 21 = {A^ <) 
is a poset where for every two elements x and y in A, arbitrary meets (written 
x X y) and joins (written x + y) exist. If, moreover, arbitrary meets and joins 
exist for any subset B C A, then 21 is a complete lattice. 

Theorem 2.8 (Knaster-Tarski fixpoint theorem [49j ) Let / : ^4 ^ be a 

monotone mapping on a complete lattice 21 = {A,<). Then / has a least fixpoint 
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Xf^ and a greatest fixpoint Xi, determined, respectively, by the pre-fixpoints and 
post-fixpoints of /: 



= e A I fix) < x} 
= e{xe A|x</(x)} 



Xjy 

where and are the generalisations to arbitrary sets of the operators x : 
A and + : A^ ^ A on pairs of elements as described before. <i 

The Modal Mu- Calculus. With these concepts in mind we are now ready to 
present the modal mu-calculus in full as well as some properties of mu-formulae. 

Definition 2.9 The modal mu-calculus [C^ has formulae built from a 
set Var of variables Y,Z^ ... and a set S of labels a, &, ... by the following grammar: 

::= Z I (/>i A 02 I 01 V 02 I (a)0i | [a] 0i | /xZ.0i | vZ.(f)i 

Also, define the boolean constants as ff iiZ.Z and tt vZ.Z-^ and assume 
these abbreviations: {K)(j)i for \/ ^^j({a)(j)i and [if ] 0i for AaeA'I"]'^!' '^here 
K C E, a.s well as [— ] 0i for [E] 0i and [—K] 0i for [E \K](f)i, and similarly for 
the diamond modality. < 

The meaning of the boolean and modal operators is as for HML. The two 
additional operators of namely fxZ.cf) and i'Z.(j) are, respectively, the minimal 
and maximal fixpoint operators of the logic. The denotations of mu-calculus 
formulae are given over the set of states of a system as follows: 

Definition 2.10 A mu-calculus model M = (T, V) is an LTS T = {S,T,E) 
together with a valuation V : Var 2^ . The denotation ||0||y of a formula in 
the model 971 is a subset of S given as follows (omitting the superscript T): 

\\Z\\v =V{Z) 

1101 A02||v = ||0l||vn ||02||v 
1101 V02||v = ||0l||vU ||02||v 

II (a)0i II V ^{seS\3s' e S. s ^ s' As' e ||0i || y} 
II H 01 II V - {s e 5 I Vs' eS.s^s'^s'e ||0i||v} 
||a^Z.0||v -n{QG2^ I ll0llv[Z:=Q] C Q} 
l|i'^-0llv =U{Qe2^ IQ^ ll0llv[z:=Q]} 

where V [Z := Q] is the valuation V" which agrees with V save that V'{Z) ~ Q. 



Note that the denotation of the fixpoint operators is given by the Knaster- 
Tarski fixpoint theorem where / is the mapping ||0||y, the order relation < is 
the subset inclusion relation C, and and are f] and IJ, respectively. 

Also, let us define the 'subformulae' of a mu-calculus formula 0; formally, 
the subformula set 5'u6(0) of an £^ formula is given by the Fischer-Ladner 
closure of £^ formulae [2 5) in the following way: 



10 



Sub{Z) = {Z} 

Sub{(j)i A (j}2) = {01 A 02} U Sub{(t)i) U Sub{(j)2) 
Sub{(j)i V 02) = {01 V 02} U 51*6(01) U Sub{(j)2) 
S'w5((a)0i) = {(a)0i}US'it6(0i) 
S-ufei [a] 01 ) = { [a] 01 } U S'u5(0i ) 
Sub{pZ.(f>i) = {/iZ.0i} U Sub{4>i) 
Sub{iyZ.(j)i) = {lyZ.cPi} U S'u5(0i) 

We finish this presentation of the mu-calculus with a note on its expressive 
power. One of the most interesting features of the mu-calculus is that many 
interesting temporal logics used for program verification can be embedded into 
Cf^. The translation of CTL is straightforward, e.g., as shown in [25j; other 
mappings, such as the one for CTL* and thus for LTL as well, are not so simple 
but still possible [TDj . The source of the immense expressiveness of the mu- 
calculus comes from the freedom to mix (or alternate) minimal and maximal 
fixpoint operators arbitrarily. In fact, Bradfield showed that this alternation 
defines a strict hierarchy 4,, one the most remarkable results regarding the 
expressivity of These results, amongst many others, have made the mu- 
calculus one of the most important and studied logics in informatics. 



2.3 Logic Games for Verification 

A logic game [3] is played by two 'players', a "Verifier" (3) and a "Falsifier" 
(V), in order to verify the truth or falsity of a given property. In these games 
the Verifier tries to show that the property holds, whereas the Falsifier wants to 
refute such an assertion. Solving these games amounts to answering the question 
of whether the Verifier has a 'strategy' to win all plays in the game. Usually the 
'board' where the game is played is a graph structure in which each position 
of the board belongs to only one of the two players. Due to this, the games are 
sequential since at any moment only one of them can play. A play can be of finite 
or infinite length, and the winner is determined by a set of winning conditions. 

There are different questions that can be asked in a verification game. For 
instance, if a logic formula has at least one model (a satisfiability problem), if a 
model satisfies a temporal property (a model-checking problem), or whether 
two systems are equivalent with respect to some notion of equivalence (an 
equivalence-checking problem). In this paper we are interested in two problems: 
bisimulation and model- checking for concurrent systems with partial order se- 
mantics. There are some aspects of the games of our interest I should remark. 

Traditionally the players have been given names depending on the kind of 
verification game that is being played. For instance, in a bisimulation game the 
Verifier is called Duplicator whereas the Falsifier is called Spoiler. Similarly, in 
other kinds of games, the Verifier and Falsifier have been called, respectively, 
Eloise and Abelard, Player 3 and Player V, Builder and Critic, Player O and 
Player □, Proponent and Opponent, Eve and Adam, or simply Player I and 
Player II. In order to have a uniform notation, we choose to call them "Eve" 
and "Adam" regardless of the game they play. 
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The boards where the games are played also have different structures depend- 
ing on the kind of verification problem that one wants to solve. In a bisimulation 
game the board is made up with the elements of the two systems that are being 
analysed, e.g., each position in the board is an element of the Cartesian product 
of the state sets of the two systems. On the other hand, in a mo del- checking 
game the board is composed of pairs of elements where one of the components 
is an element of the model being checked and the other component relates to 
the temporal property under consideration. These game features are formally 
defined whenever new bisimulation or model-checking games are presented. 

Finally, notice that by playing a logic game the two players jointly define 
sequences of positions of the game board. Such sequences are called plays of the 
game. Let F be the set of plays of a game and 58 be a game board, i.e., a set 
of positions in the game. Then, a deterministic strategy is a function A : -T ^ *8 
from plays to positions of the game board, so that such strategies define the next 
move a player makes. But in some cases, in order for a player to make a move he 
or she only needs to know their current position. In these cases, their strategies 
can be defined as functions on the set of positions of the board, rather then on 
the set of plays of the game. These strategies are called 'history-free' — positional 
or mcmoryless. Formally, a history- free strategy is a function A : 58 03. Finally, 
a winning strategy is a strategy that guarantees that the player that uses it can 
win all plays of the game. Here, we only deal with history-free winning strategies. 

Bisimulation Games. Bisimulation games are formal and interactive charac- 
terisations of a family of equivalence relations called bisimulation equivalences. 
One of the simplest bisimulation equivalences is 'bisimilarity', the equivalence 
relation induced by modal logic. This equivalence was defined, independently, 
by Johan van Benthem [2] while studying the semantics of modal logic, and 
a few years later by Milner and Park j30|37j while studying the behaviour of 
concurrent systems with interleaving semantics. 

More precisely, a bisimulation game Gi'Zi,'^2) is a formal representation of 
a bisimulation equivalence ~eq between two systems 1i and 12- Whereas Eve 
believes that Ti ~eg 2^2, Adam wants to show that Ti ■/eg '^2- All plays start in 
the initial position (so, qo) consisting of the initial states of the systems, and the 
players take alternating turns — although Adam always plays first and chooses 
where to play. Thus, in every round of the game Adam makes the first move in 
either system according to a set of rules, and then Eve must make a correspond- 
ing ^eq-equivalent move on the other system; the game can proceed in this way 
indefinitely. Thus, the plays of the game can be of finite or infinite length. All 
plays of infinite length are winning for Eve; in the case of plays of finite length, 
the player who cannot make a move loses the game. These winning conditions 
apply to all the bisimulation games we study here. 

In concurrency, bisimulation games are often used to show that two con- 
current systems interact equivalently (with respect to ~eg) with an arbitrary 
environment. Since the exact definition of a particular bisimulation equivalence 
~ei3 can be altered (strengthened or weakened) by the kinds of properties that 
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one wants to analyse, then the set of rules for playing a bisimulation game 
can be different in each game. The best known bisimulation game for interleav- 
ing concurrency is the one that characterises 'strong' bisimilarity (sb [20]), the 
bisimulation equivalence induced by HML. 

However, in order to capture properties of partial order models rather than 
of interleaving ones, equivalences finer than strong bisimilarity have been defined 
as well as their associated bisimulation games. Two of the most important bisim- 
ulation games for partial order models are the ones that characterise 'history- 
preserving' bisimilarity (hpb [42J) and 'hereditary history-preserving' bisimilar- 
ity (hhpb (22,). Both (history-preserving) bisimulation equivalences, together 
with a deep study of their applications to concurrency, can be found in [15 . Let 
us now introduce some concepts needed to present the bisimulation games that 
characterise sb, hpb, and hhpb. 

Strong Bisimulation Games. A bisimulation game for strong bisimilarity is 
played on a board 58 composed of pairs (s,(?) of states s and q of two sys- 
tems %i and T2, respectively. Such a pair is a position of the board *B and is 
called a 'configuration' of the game. The position (so,go)j where Sq ^-nd are 
the initial states of Ti and is the initial configuration. Since the strategies of 
the game are history-free, then a strategy A is a partial function on *B C S* x Q, 
where 5* and Q are the state sets of the two systems Ti and T2, respectively. 

Notation 2.11 Since a system has only one initial state, a bisimulation game 
can be unambiguously presented as either or ^(soi^o) if the two sys- 

tems are obvious from the context. Also, since bisimulation games are symmetric, 
we omit the subscript in T whenever referring to either system. < 

Definition 2.12 (Strong bisimulation games) Let {s,q) be a configuration 
of the game ^/(Ti, T2). There are two players, Adam and Eve, and Adam always 
plays first and chooses where to play. The equivalence relation Rgt is a strong 
bisimulation, ~s6, between Ti and T2 if: 

— (Base case) The initial configuration (sqi^o) is in Rsb- 

— {^sb rule) If (s,q) is in Rsb and Adam chooses a transition in 1, say a 
transition s s' of Ti, then Eve must choose a transition in the other 
system (any q A- q' of T2 in this case), such that the new configuration 
{s',q') is in R^f, as well. 

Ti r^sb 2^2 iff Eve has a winning strategy for the sb game Q{1i,^2)- < 

This bisimulation game do not capture any information of partial order mod- 
els that is not already present in their interleaving counterparts. For this reason, 
games for strong bisimilarity are considered games for interleaving concurrency 
rather than for partial order concurrency. In order to capture properties of par- 
tial order models, one has to recognise at least when two transitions of a system 
are independent and hence executable in parallel. This feature is captured by 
the following finer games. 
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History-Preserving Bisimulation Games. A game for history-preserving bisimi- 
larity is a bisimulation game as presented before with a further 'synchronisation' 
requirement on transitions. Such a synchronisation requirement makes the se- 
lection of transitions by Eve more restricted. Let us first define this notion of 
synchronisation on transitions before making a formal presentation of the game. 

A possibly empty sequence of transitions tt = [ii, is a run of a system 

T. Let n<i be the set of runs of 1 and g{Tr) be the last transition of tt. Define 
e — g{[]) and sq — cr(e) = T(e), for an empty sequence [ ]. Given a run tt 
and a transition t, the sequence Tr.i denotes the run tt extended with t. Let 
TTi G TT^i and 7r2 £ TT-j^ for two systems Ti and T2. We say that the pair of runs 
(tti.u, 7r2.u) is synchronous iff (£»(7ri),w) £ /i (f?(^2),'y) £ ^2, where /i and /2 
are the independence relations of Ti and T2, and the posets induced by tti.u 
with Ii and 7r2.w with /2 are isomorphic!! By definition (e, e) is synchronous. As 
it is more convenient to define hpb games on pairs of runs rather than on pairs 
of states, a configuration of the game will be a pair of runs. 

Definition 2.13 (History-preserving bisimulation games) Let (tti, 7^2) be 
a configuration of the game Q{%i^%2)- The initial configuration of the game is 
(e, e). The relation Rupb is a history-preserving (hp) bisimulation, ^hhpb, between 
Ti and T2 ifi' it is a strong bisimulation relation between Ti and T2 and: 

— (Base case) The initial configuration (e, e) is in Rhpt- 

^ i^hpb rule) If (tti, 112) is in Rhpt and Adam chooses a transition u in either 
system, say in Ti, such that u ~ T(gi(7ri)) A- s', then Eve must choose a 
transition v in the other system such that v — T(^?(7r2)) q' and the new 
configuration (tti.m, 7r2.w) is synchronous, i.e., (tti.m, 7r2.w) is in Rhpb as well. 

2^1 '^hpb "^2 iff Eve has a winning strategy for the hpb game Q(%i,'Z2)- < 

Hereditary History- Preserving Bisimulation Games. A bisimulation game for 
hereditary history-preserving bisimilarity is an hpb game extended with back- 
tracking moves. These backtracking moves are restricted to transitions that 
are 'backwards enabled'. More specifically, let 7r(«) be the j-th transition in 
77. Given a run tt = a transition 7r(i) is backwards enabled if, and 

only if, it is independent of all transitions tj that appear after it in tt, i.e., iff 
ytj £ {7r(i-hl),...,7r(fc)}. TT(i) Itj. 

This definition captures the fact that backwards enabled transitions are the 
terminal elements of the partial order induced by the independence relation / on 
the transitions in tt. Now, let tt — 7r(i) be the sequence of transitions tt without 
its i-th element 7r(i). It should be clear that if 7r(i) is backwards enabled, then 
the partial order induced by / on those transitions in tt — 7r(i) is just the same 
partial order induced by / on tt without the terminal element or transition 7r(i). 
Formally, an hhpb game is defined as follows: 

^ Given a run tt and an independence relation I, there is a poset {E, <e) induced 
by TT with / such that E has as elements the event occurrences associated with the 
transitions in n and where the partial order relation <e is defined by the event 
structure unfolding of the system whose independence relation is /. 
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Definition 2.14 (Hereditary history-preserving bisimulation games) 

Let {tti,tt2) be a configuration of the game (y(Ti,T2). Tfie initial configuration 
of the game is (e, e). The equivalence relation Rhhpb is a hereditary history- 
preserving (hhp) bisimulation, ^hhpb, between Ti and T2 iff it is a history- 
preserving bisimulation between Ti and T2 and: 

— (Base case) The initial configuration (e, e) is in Rhhpb- 

^ i^hhpb rule) If (tti ,772) is in Rhhpb and Adam deletes, say from tti , a transition 
7ri(i) that is backwards enabled, then Eve must delete the transition ^2(1) 
from the history of the game in the other system, provided that 7r2(i) is also 
backwards enabled and that the new configuration (tti — 7ri(i), 7r2 — T^2{i)) is 
in Rhhpb as well. 

2^1 ^hhpb 2^2 iff Eve has a winning strategy for the hhpb game C/(Ti,T2)- < 

Unlike the game for ^sb, which is a game for interleaving concurrency, both 
history-preserving games presented here can capture properties of partial order 
models and differentiate them from their interleaving counterparts. The simplest 
example is the case of two processes a \\ b and a.b+b.a, which are equivalent from 
an interleaving viewpoint, but different if considering partial order semantics. 

Model-Checking Games. Model-checking games |16|51j . also called Hintikka 
evaluation games, are logic games played in a formula </> and a mathematical 
model 931. In a game t/(3Jl, cj)) the goal of Eve is to show that DJl (f>, while 
Adam believes that DJl ^ (/)■ program verification, most usually is a modal 
or a temporal formula and 971 is a Kripke structure or an LTS, and the two 
players play the game G (931, 4>) by picking single elements of 9Jl, according to the 
game rules defined by </>. For now, let us consider model-checking games played 
on interleaving models and on formulae given as mu-calculus specifications. 

The game we are about to describe is the local model-checking procedure 
for the mu-calculus as defined by Stirling [55] . It is a game interpretation of the 
tableau technique for mu-calculus mo del- checking introduced by Stirling and 
Walker [48]. Although the game is naturally played on interleaving models of 
concurrency, it can also be used to model-check partial order models, such as 
Petri nets, if one considers their one-step interleaving semantics, e.g., as in [7]. 

Local Model- Checking Games in the Mu-Calculus. A local model-checking game 
Q{?Oi, (p) is played on a mu-calculus model 971 — (T, V), where T = (S*, sq, T, S) is 
an interleaving system, and on a mu-calculus formula (j). Since the game is local, 
this is, it answers to the question of whether the initial state sq satisfies (j), then 
it can also be presented as QmisoT^')^ or even as ^(so,'/') whenever the model 
971 is clear from the context. The board in which the game is played has the 
form 95 C 5 X Sub{(f)), where Sub{(p) is the set of subformulae of a mu-calculus 
formula (j> as defined by the Fischer-Ladner closure of mu-calculus formulae. 

A play is a possibly infinite sequence of configurations Co,Ci, each d = 
{s,ijj) is an element of the board 95. i.e., it is a position of the game. Every 
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play starts in Co = (so,(/>), and proceeds according to the rules of the game, 
given below. Two deterministic rules control the unfolding of fixpoint operators. 
Moreover, given a configuration {s,(j)), the rules for V and A make, respectively. 
Eve and Adam choose a next configuration (Sjip) which is determined by the 
subformula set of (j). Similarly, the rules for ( ) and [ ] make, respectively. Eve and 
Adam choose a next configuration {q, tp) which is determined by those transitions 
t such that s = (7{t) and q = r(t). These conditions can be captured in the 
following way. Let (s, cj)) be the current configuration of the game; the next 
configuration of the game is defined by the following game rules: 

— a (j) = fiZ.(f (resp. (j) = vZ.ip), then Eve (resp. Adam) replaces fxZ.ip (resp. 
vZ.Lp) by its associated variable Z and the next configuration is (s, Z). 

— if = Z such that i]j = iiZ.ip (resp. ip = vZ.Lp) for some formula ijj, then 
Eve (resp. Adam) unfolds the fixpoint and the next configuration is (s,v')- 

— if ^ = '01 V ■02 (resp. 4> = ip\ h ■02), then Eve (resp. Adam) chooses some V'i, 
for i S {1, 2}, and the next configuration is (s, tpi). 

— if = (a)V' (resp. = [a]^), then Eve (resp. Adam) chooses a transition 
s ^ s' and the next configuration is {s',tjj). 

Finally the following rules are the winning conditions that determine a unique 

winner for every finite or infinite play Cq, Ci, ... in a game Q{so, (p). Adam wins 
a finite play Co, Ci, C/j or an infinite play Co, Ci, ... iff: 

1. Ck = {s,Z) ands^ViZ). 

2. Cfc = (s, {a)tp) and {s' | s A s'} = 0. 

3. The play is of infinite length and there exists a mu-calculus formiila Z which 
is both the least fixpoint of some subformula iJ,Z.ip and the syntactically 
outermost variable in that occurs infinitely often in the game. 

Dually, Eve wins a finite play Cq, Ci, C„ or an infinite play Co, Ci, ... iff: 

1. Cfe = {s,Z) and s e V{Z). 

2. Ck = (s, [a] t/j) and {s' \ s A s'} = 0. 

3. The play is of infinite length and there exists a mu-calculus formula Z which 
is both the greatest fixpoint of some subformula lyZ.ip and the syntactically 
outermost variable in (p that occurs infinitely often in the game. 

Then sq |= iff Eve has a winning strategy in the model-checking game Q{so, </>). 

3 Mu-Calculi with Partial Order Semantics 

In this section we study the underlying mathematical properties of the partial 
order models of concurrency presented before, and show that the behaviour of 
these systems can be captured in a uniform way by two simple and general 
dualities of local behaviour. We use these dualities of local behaviour to define 
a number of mu-calculi, or fixpoint modal logics, with partial order semantics. 
This work delivers a logical approach to defining a notion of equivalence for 
concurrency tailored to be abstract or model independent, setting the grounds for 
a logic-based framework for studying different models for concurrency uniformly. 
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3.1 Local Dualities in Partial Order Models 



We present two ways in which concurrency can be regarded as a dual concept to 
conflict and causality, respectively. These two ways of observing concurrency will 
be called immediate concurrency and linearised concurrency. Whereas immedi- 
ate concurrency is dual to conflict, linearised concurrency is dual to causality. 
These local dualities were first defined in [T5] . 

The intuitions behind these two observations are the following. Consider a 
concurrent system and any two different transitions t and t' with the same source 
node, i.e., a(t) = cr(t'). These two transitions are either immediately concurrent, 
and therefore independent, i.e., (i, t') G /, or dependent, in which case they must 
be in conflict. Similarly, consider any two transitions t and t' where r(i) — cr{t'). 
Again, the pair of transitions (t, t') can either belong to /, in which case the two 
transitions are concurrent, yet have been linearised, or the pair does not belong 
to /, and therefore the two transitions are causally dependent. In both cases, 
the two conditions are exclusive and there are no other possibilities. 

The local dualities just described are formally defined in the following way: 

e T X T I (j{t) ^ a{t')AtI t'} 

# = {it,t') eTxT\ a{t) = a{t') A / t')} 

e = {{t, t')eTxT\ T{t) = a{t') At It'} 
< {(t, t')eTxT\ T(t) = a{t') A ^(t 1 1')} 

Notice the dual conditions between and # and between G and < with 
respect to the independence relation, if assuming valid the locality requirement. 

Definition 3.1 Let t and t' be two transitions. We say that t and t' are imme- 
diately concurrent iff {t,t') £ (E>, in conflict iff {t,t') G =ff, linearly concurrent iff 
it,t') G 0, or causally dependent iff {t,t') G <. < 



Sets in a Local Context. The relation (g) defined on pairs of transitions, can 
be used to recognise sets where every transition is independent of each other 
and hence can all be executed concurrently. Such sets are said to be conflict-free 
and belong to the same 'trace'. 

Definition 3.2 A conflict-free set of transitions P is a set of transitions with 
the same source node, where i ® for each two elements in P. < 

Notice that by definition empty sets and singleton sets are trivially conflict- 
free. Given a system T, all confiict-free sets of transitions at a state s can be 
defined locally from the maximal set of transitions X(s), where X(s) is the set 
of all transitions t such that a{t) — s. We simply write X when the state s is 
defined elsewhere or is implicit from the context. Moreover, all maximal sets and 
confiict-free sets of transitions are fixed given a particular system T. 

Definition 3.3 Given a system T, a support set i? in T is either a maximal set 
of transitions in T or a non-empty confiict-free set of transitions in T. <i 
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Given a system T, the set of all its support sets is denoted by As can be 
seen from the definition, support sets can be of two kinds, and one of them pro- 
vide us with a way of doing local reasoning. More precisely, doing local reasoning 
on sets of independent transitions becomes possible when considering conflict- 
free sets since they can be decomposed into smaller sets, where every transition 
is, as well, independent of each other. Using standard notation on sets, we write 
Pi l±) P2 to denote the disjoint union of sets Pi and P2 . If both Pi and P2 are 
support sets then we have that Pi ^ and P2 ^ 9, and hence Pi l±) P2 7^ 0- 

Definition 3.4 Given a support set R, a complete trace M of R, denoted by 
M C P, is a support set M ^R such that -^3t e R\ M. W e Ad. t®t'. < 

Note that if P is a conflict-free support set, then M — P. Otherwise, P 
necessarily is a maximal set X and M must be a proper subset of P. Therefore, 
if P = X, then the sets M such that M C X are the biggest conflict-free support 
sets that can be recognised in a particular state s of a system T; we call them 
maximal traces. Since all complete and maximal traces are support sets, then 
they are also flxed and computable given a particular system T. 

3.2 Fixpoint Logics with Partial Order Models 

The local dualities and sets defined in the previous section can be used to build 
the semantics of a number of fixpoint modal logics which capture that behaviour 
of partial order models that is not present in interleaving ones. As a consequence, 
these logics may be more adequate languages for expressing properties of partial 
order systems such as Petri nets, event structures, or TSI. 

The naturality of these logics is reflected by the bisimulation equivalences 
they induce, since in several cases they either coincide with standard bisimi- 
larities for concurrency, e.g., with sb or with hpb, or have better decidability 
properties than other already known bisimulation equivalences for partial order 
models, e.g., with respect to hhpb, which is undecidable even in finite systems. 

The semantics of the logics we define here are based on the recognition of 
the dualities that can be defined in a partial order model for concurrency. The 
logic we introduce here is called Trace Fixpoint Logic (L^). As defined by its 
semantics, captures the duality between concurrency and causality by refin- 
ing the usual modal operator of >C^. On the other hand, the duality between 
concurrency and conflict is captured by a second-order modality that recognises 
maximal traces in the system. Such a modality enjoys beautiful mathematical 
properties; in particular, not only it is a monotonic, but also an idempotent op- 
erator, which informally means that it delivers as much information as possible 
whenever used. is a more simple, purely modal logic for reasoning about 
partial order systems alternative to the fixpoint logic introduced in [18] . 

Process Spaces. In order to define the semantics of we construct an inter- 
mediate structure into which any of the systems we consider here can be mapped. 
Such a structure determines a 'space of processes', which are simple abstract en- 
tities representing pieces of isolated (i.e., local and independent) behaviour. 
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Definition 3.5 Let T = {S,so,T,E,I) be a system. A Process Space S is 
the lattice *p x 21, where is the set of support sets of 1 and 2t is the set of 
transitions T U {te}, such that is the empty transition satisfying that for all 
t € T, ii So = cr(t) then < t. A tuple {R, t) € S is called a process, and the 
initial process of S is the tuple {3io,te), where Xq = X{so). < 

Notice that for any process it is always possible to infer the particular state 
in T to which such a process relates. Since a process docs not represent explicitly 
the states of a systems we say that a process space is 'stateless'. Also, let X be 
the subset of ^ that contains only maximal sets 3£ and maximal traces M. Call 
& = X X 01 a stateless maximal process space. 

Trace Fixpoint Logic. Having defined local dualities in partial order models 
and a process space upon them, we are now ready to present a a modal logic 

that is sensitive to causal information and that allows for reasoning on the traces 
of a concurrent system with a partial order semantics. 

Definition 3.6 Trace Fixpoint Logic (L^) has formulae (p built from a set Var 
of variables Y,Z,... and a set U of labels a,b, ... by the following grammar: 

(j)::= Z \ -.01 I 01 A (/)2 I {a)c4>i \ {a)nc4'i I ('8))'/>i I M-Z'-^i 

where Z e Var and iJbZ.(j)i has the restriction that any free occurrence of Z in 01 
must be within the scope of an even number of negations. Dual boolean, modal, 
and fixpoint operators are defined in the usual way: 

01 V 02 = -'(-'01 A -'02) 

Nc '/'I = ^(a)c-'0i 

H„c = ~'(a)nc-'01 
[(g)] 01 =^ ((g)) ^01 

vZ.(j)i == -i/iZ.-'0i [-^Z/Z\ 

Boolean constants and other abbreviations are defined as for Moreover, 
'plain' modalities, i.e., HML modalities, can be represented as follows: 

(a}0i = (a}c0i V (a)„c0i 
[a] 01 = [a]^ 01 A [a]„^ 0i 

We say that a formula is in 'positive form' if negations arc applied only to 
variables. Any formula built with the language given above, together with the 
dual operators, can be converted into positive form; it is moreover in 'positive 
normal form' if there arc no clashes of bound variables. Again, any formula can 
be converted into an equivalent one in positive normal form. Then, without loss 
of generality, hereafter we only consider formulae in positive normal form. 
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Definition 3.7 A model 9Jt is a system T = {S, sq, T, /, S) together with a 
valuation V : Var 2®, where 6 = A" x 21 is the stateless maximal process space 
associated with T. The denotation of a formula (j) in the model WX = (T, V) 
is a subset of 6, given by the following rules (omitting the superscript T): 

Z\\v =V{Z) 

-(iillv =e-||0i||v 

0iA(/)2||v = ll'/'illv n ll^allv 

{a)c(f>i\\v = {iR,t) ee\3reR.t<rA{X,r)e WMv} 
{a)nc<Pi \\v = {{R,t)€e\3r€R.tQrA (X, r) e ||0i || v} 
||((8>)(/)i||v = {{R,t) €e\3M €X. M rRA{M,t) € \\Mv} 

such that a = S{r) and X is the maximal set at T(r). Also, given the usual re- 
striction on free occurrences of variables imposed in order to obtain monotone 
operators in the complete lattice (2®, C), the powerset lattice of S, it is possi- 
ble to define the denotation of the least fixpoint operator in the standard way 
according to the Knastcr-Tarski fixpoint theorem: 

WfiZ.^v = n{Q c e I \mviz:=Q] c Q} 

where V [Z := Q] is the valuation V' which agrees with V save that V'{Z) = Q. 
Since positive normal form is assumed henceforth, the semantics of the dual 
boolean, modal, and fixpoint operators can be given in the usual way. Finally, 
the satisfaction relation |= is defined in the usual way: given a process P and a 
formula <p, we have that P ^ iff P e ||0||. < 

Informally, the meaning of the basic operators is the following: boolean 
constants and operators are interpreted in the usual sense; the semantics of the 
'causal' diamond modality {a)c(t>i (rcsp. of the 'non-causal' diamond modality 
{a)nc4'i) is that a process {R,t) satisfies (a)c(t>i (resp. (a)„c0i) if it can perform 
an a-labelled action r that causally depends on t (resp. that is independent 
of t) and move throiigh r into a process where 01 holds; and dually for the 
causal and non-causal box modalities [a]^(j)i and [a]^^(j)i- The modality (®)(/>i 
provides local second-order power on conflict-free sets of transitions, i.e., on 
sets of independent transitions. This modality allows one to restrict, locally, the 
behaviour of a system to those executions that can actually happen concurrently 
at a given state. Finally, the meaning of the flxpoint operators is as for 

Proposition 3.8 (0) is an idempotent operator. 

Proof. Let H = \\{®)4>\\ and G = ||(/)||. G can be split into two disjoint sets 
of stateless maximal processes l±l (called simply processes in the sequel), 
where the former is the set of processes in G whose support sets arc conflict-free, 
and the latter those processes whose support sets are not, i.e., G\G®. Similarly, 
H can be represented as the disjoint union of sets of processes H'^ and H*. 

Notice that _ff ® = G® because for any process Pp® = (R, t) in iJ® there is 
a process Pg» = {R, t) in G® , since P C P for any conflict-free support set P. 
However, this is clearly not the case for the processes in G* and H*, because 
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there may be a process Pg# in (whose support set is necessarily maximal and 
not conflict-free) such that there is no process Pq® in G® to which the support 
set of Pg# can be related using Therefore, whereas G^ would contain such 
a processes, H"^ would not. Similarly, there may be new processes in H"^ whose 
support sets can be related to support sets of processes in G® (and of course in 
ff® as well) using but that were not in G^ . 

Now, let F = F®\i)F* = For the same reason as before, F® = 

iJ®. However, in this case F* - H* since now for every process in both F"^ 
and H'f^ , there must be a process in iJ® (and of course in i^®) to which their 
support sets can be related using C. So, since applying ((g)) only once always 
leads to a fixpoint, then ((g)) is an idempotent operator. □ 

Fact 3.9 ((g)) is not an extensive operator. 

Proof. Let H ^ H® ^ H* ^ \\{®)4>\\ and G = G® W G# = ||(/>||, where H® 
and H'^ as well as G® and G* are defined as before. As shown in the proof of 
Proposition 13.81 it is possible that G^ contains processes that are not in H"^ . 
Therefore G ^ iJ. □ 

Corollary 3.10 {®) is not a closure operator. 

Proof, ((g)) is monotonic and idempotent, but is not extensive. □ 



3.3 Logical and Concurrent Equivalences 

We now turn our attention to the study of the relationships between the explicit 
notion of independence in concurrent systems with partial order semantics (a 
model independence), and the explicit notion of independence in the logics we 
have defined (a logical independence). We do so by relating well-known equiv- 
alences for concurrency, namely ^sb, '^hpb and ^hhpb, with the equivalences 
induced by different sublogics where the interplay between concurrency and 
conflict, and concurrency and causality is syntactically restricted. 

Definition 3.11 (£ equivalence ~£) Given a logic £, two processes P and Q 
associated with two systems Ti and T2, respectively, are ^-equivalent, P ~£ Q, 
if and only if, for every £ formula cj) in ^2, P cj) <^ Q ^'^^ 0, where ^s. is 
the set of all fixpoint-free closed formulae of £. < 

Remark 3.12 The previous definition delivers a logical, abstract notion of 
equivalence that can be used across different models for concurrency, i.e., tailored 
to be model independent. With this logical notion of equivalence two systems Ti 
and T2, possibly of different kinds, are equivalent with respect to some equiva- 
lence ~£ if, and only if, their associated process spaces cannot be differentiated 
by any £-logical formula. < 

Recall that in order to obtain an exact match between finitary modal logic 
and bisimulation, all models considered here are image-finite |20] . i.e., of finite 
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branching. Moreover, since the semantics of is based on action labels, we only 
consider models without 'auto-concm'rency' |35) , a common restriction when 
studying either modal logics or equivalences for (labelled) partial order models. 

More precisely, auto-concurrency is the phenomenon by which multiple in- 
stances of various concurrent transitions are equally labelled. In other words, 
auto-concurrency can be seen as nondeterminism inside a set of independent 
transitions. In many cases auto-concurrency is regarded as an undesirable situa- 
tion on partial order models since it can be easily avoided in practice and makes 
slightly counter-intuitive the analysis of behavioural properties of concurrent 
processes with partial order semantics. 

As a matter of fact, on finite systems, auto-concurrency is formally, but 
not actually, a further restriction since any bounded branching system that 
has auto-concurrency can be effectively converted into a system that does not 
have auto-concurrency by a suitable relabelling of auto-concurrent transitions 
without changing the concurrent behaviour of the model. Notice that no auto- 
concurrency is a real further restriction for infinite systems as image-finiteness 
does not imply branching boundedness on infinite models. 

Having said that, let us turn to the study of some syntactic fragments of L^. 
They are called the natural syntactic fragments of because such sub-logics 
arise as the languages where the dualities between concurrency and causality 
as well as concurrency and conflict are syntactically manipulated. As we will 
see the equivalences induced by all such fragments are decidable and in some 
cases coincide with well-known bisimilarities for interleaving and for partial order 
models of concurrency. We start this study of logical and concurrent equivalences 
by analysing a syntactic fragment of that is oblivious to causal information. 

The Modal Mu-Calculus. The first sublogic is obtained from by disabling 
the sensitivity of this logic to both dualities. On the one hand, insensitivity to 
the duality between concurrency and causality can be captured by considering 
only modalities without subscript, i.e., HML modalities, using the abbreviations 
given previously in Section 13.21 On the other hand, insensitivity to the duality 
between concurrency and confiict can be captured by considering the [((>D)]-free 
sublanguage, where [((g))] means {((g), [(g]}. The resulting logic has the same 
syntax of This fragment is the purely-modal [((g))]-free fragment of L^. 

Proposition 3.13 The syntactic purely-modal [{®)]- free fragment 0/ is se- 
mantically equivalent to the modal mu- calculus. 

Proof. Recall the semantics of the operators of L^. Without loss of generality, 
we can only consider the case of the modal operators. 

l|(a)0i||v = ||(a)c0i V (a)„c0i||v = ||(a)c0i||v U ||(a)„c0i||v 

= {(i?,t) e A" X 21 I 3r G i?. i < r A (X,r) e ||<?!>i||v} U 
{{R,t) e A" X a I 3r e i?. ter A (X,r) e ||0i||v} 

The first observation to be made is that the [(cg))]-free fragment of only con- 
siders maximal sets in the semantics. Therefore, support sets can be disregarded 
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and only the state a{r) associated with a transition r G R need to be kept. Then, 
the expressions above can be modified in the following way: 

||(a)0i||v = {{s,t) eSxm\3qeS.t<rA{q,r)e Ui\\v} U 
{(s, t) e S X ^ \ 3q e S. t e r A {q,r) e Ui \\v} 

where r — s ^ q. The second observation is that when computing the semantics 
of the combined operator (a) , the conditions t < r and t Q r complement each 
other and become trivially true since there are no other possibilities. Therefore, 
the second component of every pair {s,t) e S* x 2t can also be disregarded. 

||(a)0i||v = {s G S* I 3(7 e S*. s A g Ag G ||0i||v} 

The case for the box operator [a] is similar. As a consequence, the semantics 
of all the operators of this sublogic and the mu-calculus coincide. □ 

Remark 3.14 The mu-calculus cannot recognise pairs of transitions in / and 
therefore sees any partial order model as its interleaving counterpart, or what is 
equivalent, a partial order model with an empty relation /. As a consequence, 
although using a partial order model of concurrency, it is possible to retain in 
all the joys of a logic with an interleaving model, and so, nothing is lost with 
respect to the main interleaving approaches to concurrency. <i 

Regarding logical and concurrent equivalences, it is now easy to see that 
~sb, the bisimulation equivalence induced by modal logic, is captured by the 
fixpoint-free fragment of this sublogic, which we can denote by ^c^, - Hence, the 
logical correspondence = ^sb follows from Proposition 13.131 and the fact 

that modal logic characterises bisimulation on image-finite models. 



The Trace Modal Mu-Calculus. The second sublogic we study is the 'trace 
modal mu-calculus', C^. This logic is obtained from by allowing only the 
recognition of the duality between concurrency and conflict with its idempotent 
operator. The syntax of £® is: ::= Z | | A 02 | | (<8')0i 1 fiZ.(j)i. 

We write for the equivalence induced by this sublogic. It is easy to see 

that £® is more expressive than £^ in partial order models simply because £® 
includes £^ and can differentiate concurrency from nondeterminism. However, 
the following counter-example shows that and '^hpb do not coincide. 

Proposition 3.15 Neither ^hpb ^ C ^hpb- 

Proof. The two systems at the top in Figure [2] are hp bisimilar and yet can be 
distinguished by the formula (j) = (®)((a)(c)tt A (6}(d)tt). On the other hand, 
the systems at the bottom are not hp bisimilar and cannot be differentiated by 
any £® formula. This can be verified by exhaustively checking formulae in 
the initial state o. □ 
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Fig. 2. Counter-examples of the coincidence between '^hpb and 



There is a fundamental reason for the mismatch between ^hpb and ^^£8 • It 
has to do with a special 'sharing' of resources between some of the transitions 
in the model. This special kind of sharing of resources is characterised by a 
phenomenon called confusion, which is a concept in net theory, and thus, it is 
useful to think of it directly on nets. 

Confusion can be symmetric or asymmetric. Roughly speaking, it is a phe- 
nomenon that arises between at least three different actions, say between ti, t2, 
and t^. In the symmetric case, two of them are independent, e.g., ti par t2, and 
at the same time are in conflict with the third action, i.e., *ti D't^ ^ $ and 
•^2 n ^ 0. On the other hand, in the asymmetric case, two of the actions are 
independent, e.g., ti par t2 as before, whereas the third one is in conflict with 
one of the independent actions, say with ti, and causally depends on the other, 
i.e., *ti n '^3 ^ and t* n 't^ ^ 0, respectively. Confusion is important because, 
although it is undesirable when analysing the behaviour of a concurrent system, 
it is also "inherent to any reasonable net model of a mutual exclusion module" 
[44] . Confusion is also present when modelling race conditions in concurrent and 
distributed systems with shared memory models. These facts show the ubiquity 
of this phenomenon when analysing real-life models of communicating concur- 
rent systems. Although confusion is a natural concept in net theory, it can also 
be defined for TSI and event structures, though in these cases the definition 
is more complicated because it involves sets of transitions and sets of events, 
respectively, rather than single actions as in the Petri net case. 

Confusion appears in the two counter-examples shown in Figure [21 In both 
cases in its asymmetric variant. The problem is that both ~/ipf, and ~£8> can 
recognise some forms of confusion, but not all of them. However, there is a class 
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of nets called free-choice where confusion never arises, and for which coincidence 
results between ~hp6 and ~£® may be possible. Define a free-choice system as 
follows (see [B] for an equivalent presentation): 

Definition 3.16 A system T is free-choice iff whenever there arc three tran- 
sitions ti, t2, and ts such that ti is in conflict with t2 and any of them is 
independent of is, i.e., either (^1,^3) S / or (^2,^3) G I, then there must be two 
transitions and is, where ti ^ and t2 ^ ^5, such that and is are also in 
conflict, and is independent of both and ^5. < 

Informally, the previous definition means that a choice, i.e., a conflict, cannot 
be globally affected by the execution of a concurrent transition, since equivalent 
choices are always possible both before and after that. These facts, along with 
the observations made before, led us to believe that the following statement 
holds, although we have so far not been able to prove it. 

Conjecture 3.17 = '^/ip& on free- choice systems without auto- concurrency. 

Now, let us move to the study of a modal logic that is sensitive to the 
causal information embodied in partial order systems. In particular, it will be 
shown that for some classes of systems the local duality between concurrency 
and causality is good enough to capture the full notion of global causality defined 
by ^hpb on partial order models. 

Prom Local to Global Causality 

In this section we show the first coincidence result of the equivalence induced 
by one of the sublogics of with a bisimilarity for partial order systems. The 
result holds for a class of systems whose expressive power lies between that of 
so-called 'free-choice' nets [H] and that of safe nets, as before with the usual 
restrictions to systems that are image-finite and have no auto-concurrency. 

The coincidence result is with respect to ^hph- This equivalence is considered 
to be the standard bisimulation equivalence for causality since it fully captures 
the interplay between branching and causal behaviour. The interesting feature of 
this coincidence result is that '^upb provides a global notion of causality whereas 
the logic we are about to study induces a local one, as shown later on. Then, the 
question we answer here is that of the class of systems for which 'local causality' 
fully captures the standard notion of 'global causality'. Such an answer is given 
by the following modal logic. 

The Causal Modal Mu-Calculus. The fourth sublogic to be considered is the 
'causal modal mu-calculus', This sublogic is obtained from by allowing 
only the recognition of the duality between concurrency and causality throughout 
the modal operators on transitions of L^,. The syntax of this syntactic fragment 
is the following: ::= Z | -^(pi [ A 02 | (a)c</>i | {a)nc4>i I ^Z.ipi. 
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Clearly, is also more expressive than in partial order models because 
of the same reasons given for The naturality of £^ for expressing causal 
properties is demonstrated by the equivalence it induces, written as , which 
coincides with ^hpb, the standard bisimulation equivalence for causal systems, 
when restricted to systems without auto-concurrency where any 3-tuple of tran- 
sitions (^1,^2:^3) in confusion is in some sense deterministic. Thus, let us define 
confusion, a ternary relation on transitions as well as its deterministic variant 
when considering labelled systems. 

Definition 3.18 (Confusion) Let cfs be a relation on transitions of a system 
T such that (^1,^2,^3) £ cfs iff ti ® t2 and either ti^ft^ and t2#i3 (the sym- 
metric case) or ti < and 3r2- ^2 ~ ''2 A r2#i3 (the asymmetric case). A tuple 
(^1,^2,^3) £ cfs is deterministic iff either the three transitions have different 
labels or S{ti) = ^(^3) and ti < t^. < 

There are analogous Petri net and event structure definitions for confusion 
using the basic elements of such models. Those definitions are much better known 
than the one presented here since confusion is a basic concept in net theory; 
however, the definition we have just given is equivalent. Perhaps due to this 
fact is that a very easy way of depicting confusion is using Petri nets. Figure [3] 
shows the two simplest nets featuring confusion, both in their symmetric and 
asymmetric variants. 




Fig. 3. Confusion: the Petri net on the left has symmetric confusion and the Petri net 
on the right has asymmetric confusion. In both cases it is deterministic. 



Any Petri net that has confusion must have either of these two nets as a 
subsystem. The statement equivalently holds for TSI and event structures if 
considering, respectively, the TSI and event structure models corresponding to 
such nets. This property allows one to define a class of systems for which the 
logical equivalence induced by £^ captures '^hpb- Such a class contains those 
systems without auto-concurrency that either are free-choice or whose confusion 
relation has only deterministic tuples. Thus, let us now define the class of free- 
choice systems. For simplicity, we do so indirectly via the standard definition of 
free-choice nets, which is well-known in the literature. 
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Definition 3.19 (Pree-choice nets) Let TV be a net. A net is free-choice iff 
for all s e P we have that | s* | < 1 or G *t \ = I. < 

A free-choice Petri net is a free-choice net with an initial marking. A free- 
choice event structure is an event structure unfolding [31] of a free-choice Petri 
net and a free-choice TSI is the TSI model obtained from a free-choice Petri 
net. Free-choice nets, and hence free-choice systems, have no confusion as other 
classes of systems. But what is interesting about this class of nets is that the 
confusion-freeness property (which is a behavioural characteristic) comes directly 
from a structural property of these nets. In particular, any free-choice net can 
be built using the subnets shown in Figure U] (with additional flow arrows after 
net actions, which can be used unrestrictedly as long as the net is safe). 




Fig. 4. Free-choice nets: two subnets from which any free-choice system can be built. 

We are almost ready to show that the two equivalences and ^hpb coincide 
for a class of systems that we call 'fc-structured', and denote by S. 

Definition 3.20 (Fc-structured (S) systems) The family of fc-structured 
(S) systems is the class of systems without auto-concurrency that either are 
free-choice or whose confusion relation has only deterministic elements. <i 

Remark 3.21 The family of S systems contains, at least, the following classes 
of models (without auto-concurrency and with a deterministic conflict relation) : 
Moore and Mealy machines, labelled graphs, synchronous and asynchronous 
products of sequential systems, free-choice systems, and nondeterministic con- 
current systems. More importantly, S systems can model mutual exclusion pro- 
tocols and the usual synchronization mechanisms of some process calculi. <s 

Now, back to the issue of relating ^hpb and , the proof that '^hpb and 
~£c coincide for the class of E systems goes by showing that the two inclusions 
~?ipb Q and '^cc C ^hpb hold separately. In fact, the flrst inclusion holds for 
any class of systems while the second one requires the restriction to S systems. 

Lemma 3.22 (Logical soundness) ^hpb ^ ^C'=^- 

Proof. This inclusion can be shown by induction on formulae, which we 
denote by 3^£c. Let Ti and To be two systems and P £ ©i and Q G ©o two 
processes that belong to the process spaces ©i and ©o associated with 1i and Tq, 
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respectively. If P ^hpb Q then for all (f> € ij^c we have that P ^y^^ (p 4^ Q (j) 
given two models OJti = (Ti,Vi) and 9JTo = (2^0, Vo)- Since £^ only considers 
maximal sets, the process P = {p,t) (resp. the process Q = {q,t)) is actually a 
binary tuple in 5i x 2li (resp. in So x 2lo) rather than a tuple in Xi x 2li (resp. 
in Xq X 2lo). Henceforth, let us write |= instead of |=y*, for i G {0, 1}, since the 
models will be clear from the context. 

The base case of the induction is when = tt or when ^ = ff which is trivial 
since tt and ff are always true and false, respectively. Now, consider the cases 
for the boolean operators A and V; first suppose that = Vi A V'2 and assume 
that the result holds for both ipi and 1^2 ■ By the definition of the satisfaction 
relation P \= (p iS P \= ipi and P ^ -02 iff by the inductive hypothesis Q \= ^pi 
and Q 1= V2, and hence, by the definition of the satisfaction relation Q \= (j). 
The case for V is similar. 

Now, consider the cases for the four modalities. First, suppose (j) = [a]^^ ip 
and P \= (j). Therefore, for any P' = {p',t'), such that a = S{t') and P ^ P' 
and t Q t', it follows that P' \= ip. Now, let Q ^ Q' such that a = 6{t') and 
tQt' since the bisimulation must remain synchronous. Just to recall, synchrony 
in an hp bisimulation means that the last transition chosen in Ti (resp. in To) 
is concurrent with the former transition also chosen in Ti (resp. in Tq) iff the 
same pattern holds in the last two transitions chosen in To (resp. in Ti), and 
moreover the two sequences of transitions (i.e., runs) that are generated in this 
way are the linearisations of isomorphic posets. So, as we know that for some 
P' there is a P A P', where t Q t', and by the inductive hypothesis P' ^hpb Q', 
then Q' \= ip, where tQt', and so by the definition of the satisfaction relation 
Q 1= 0. The case when Q satisfies is symmetric, and the case when </> = [a]^ tp 
is similar (only changing 9 for <). The cases for the operators {a)c and {a)nc 
are analogous. □ 

In order to show the second inclusion, namely ^Cf^ C ^hpb, we first require 
some lemmas that characterise the set of runs that can be identified by £^ in 
a partial order system. More specifically, a proof that if two systems To and Ti 
arc >CJj-cquivalcnt, then for each run of one of the systems there exists a 'locally 
synchronous' run (which is defined below) in the other system. Then, one can use 
this result to show that for any two S systems To and Ti such that To ~£c Ti , 
each pair of locally synchronous runs is moreover induced by two isomorphic 
posets, and hence, the two systems must be ^hpb as well since in such a case the 
pair of runs is synchronous. 

Recall the definition of runs and of synchronous runs given before, and let 
TTo € and tti € 11%^ be two runs of two systems To and Ti, and u, v two tran- 
sitions. A pair of runs {wq.u,'jti.v) is inductively defined as locally synchronous 
iff (7ro,7ri) is locally synchronous and (f)(7ro),u) G /o {q{'^i)tV) £ /i, where 
Jo and Ii are the independence relations of To and Ti. By definition, the pair 
of empty runs (e, e) is locally synchronous. Note that the definitions of locally 
synchronous runs and synchronous runs is quite similar; the only difference is 
that synchronous runs must be the linearization of isomorphic posets whereas 
locally synchronous runs need not be. 
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Lemma 3.23 Let To and Ti be two systems and TT-To and 11%^ their sets of 
runs. //To Xi then for each no E II-x^^ (resp. tti S -^iij there exists a 
run TTi S il^i (resp. ttq € n^^) such that the pair of runs (ttctti) is locally 
synchronous. 

Proof. The proof goes by a contradiction argument. Suppose that for ah <p in 
S^£c we have that P \= (f) Q \= <p and there exists a run in one of the systems 
that is not locally synchronous to any of the runs in the other system. The case 
where P and Q are the initial processes of To and Ti, respectively, is trivially 
false since, by definition, the pair of empty runs (e, e) is locally synchronous. 

Then, suppose now that (ttojTTi) is locally synchronous and that P and Q 
are two processes reached, respectively, in To and in Ti after following tto and 
TTi in each system (starting from their initial processes). Additionally, suppose 
that there exists a transition u in one of the systems, say in To, such that there 
is no transition v in the other system for which the pair of runs (tto.w, tti.z;) is 
locally synchronous. Note that P and Q are strongly bisimilar, since jC^ includes 
Cfj,, and thus, the case in which a processes can perform a transition (regardless 
of its label) and the other cannot do so is impossible as this contradicts the 
hypothesis that P Q. 

So, suppose that for some transition u with label a, P = (p, giira)) A P' = 
{p', u) and g{Tro)Qu (resp. g{TTo) < u), but for all transitions v such that a = S{v) 
it holds that Q = {q, ^(tti)) A Q' = (g', v) and £»(7ri) < v (resp. ^(tti) v) only. 
However, wc know that, by hypothesis, P ~£c Q and so, it must be true that if 
P \= {a)nc4> (resp. if P 1= (a)c0) then Q \= (a)„c0 (resp. liQ \= {a)c4>), which is a 
contradiction. Thus, one must be able to match pairs of independent transitions 
in one of the systems whenever the same happens in the other system for all 
pairs of processes P and Q satisfying that P Q. □ 

The previous lemma ensures that if two systems satisfy the same set of £° 
formulae, then, locally, they have the same causal behaviour. However, in order 

to show that, globally, they also have the same causal behaviour, one needs some 
additional information, which is given by the following lemma. 

Lemma 3.24 Let % be a S system whose conflict relation is cfs and let tt G LI^. 
If after executing the run tt in 1 there are two different enabled transitions u 
and V such that S{u) = 6{v), then the following two statements hold: 

L ujj=v. 

2. There is at most one transition t in n such that rit) = cr{u') = cr{y') for 
which t < u' and t < v' and u ^ u' and v ^ v' . 

Proof. In the same order as in the statement of the lemma: 

1. Because there is no auto-concurrency. 

2. As the confusion relation is deterministic there is no c € cfs such that both 
u and V belong to c; in particular neither transition can be an instance of an 
action e (at the net level) for which | 'e | > 1. Instead, such transitions are 
instances of two different actions ei and 62 for which | *ei | = 1 = | *e2 |. □ 
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Finally, the following lemma ensures that for the class of S systems, the 
notion of locally synchronous runs (associated with local causality) is good 
enough to capture the stronger notion of synchronous runs (associated with 
global causality) , so long the two systems satisfy the same set of C^^ formulae. 

Lemma 3.25 Let Tq o-i^d, Ti be E systems whose sets of runs are and 
n-xi- If for each ttq G 7Ti„ (resp. tti G n^-^) there exists some tti 6 Ui-^ (resp. 
ttq e n^o) such that (7ro,7ri) is locally synchronous, then (ttojTTi) is, moreover, 
synchronous. 

Proof. The proof is based on the fact that if (7ro,7ri) is a locally synchronous 
pair, then the posets induced by such locally synchronous runs induce isomor- 
phic posets if the systems are S, and hence, the pair of runs is also 'globally' 
synchronous. We proceed by induction on the length of runs. The base case, i.e., 
when the pair of runs is (7ro,7ri) — (e, e), is trivial since in this case the two 
posets are empty. 

Then, for the induction step, suppose that there is a non-empty run ttq of size 
k that is locally synchronous to some run m; moreover, suppose that ttq and tti 
induce isomorphic posets. We show that there is not a run ttq.u which induces a 
poset that is not isomorphic to any of the posets induced by those runs tti.v for 
which the pairs of extended runs {ttq.u,tti.v) are locally synchronous. 

Due to the definition of S systems, one can consider the following three cases: 
(1) the transition u is the instance of a net action e such that | 'e | > 1 and u 
is not in the conflict relation of To! (2) the transition u is the instance of a net 
action e such that for some net place s we have that e G s* and Ve G s*.| 'e | = 1 
and u is not in the conflict relation of To; or (3) the transition u is an instance 
of a net action of either type and is in the conflict relation of To- 

For the first case, let ttq be any run such that £»(7ro) < u. By hypothesis we 
have that the posets induced by ttq and tti are isomorphic, that u depends only 
on one transition (namely, on g{Tro)), and that giiri) < v as well. Then, the only 
possibility for this case to fail is if w, unlike u, causally depends on more than only 
one transition (since it already depends on giiri)). Suppose this could happen; 
then, there is at least one transition Cj in tti on which v also causally depends 
and that is independent of p(7ri). Then there must exist a run ttJ" of length k — 1 
that do not contain Cj and where q{tti) < v' for some v' such that S{v') — 5{v). 
Since v and v' cannot be two instances of the same net action, then they must be 
in conflict (because there is no auto-concurrency) and moreover belong to some 
tuple c of the confusion relation cfs of Ti , which is impossible since S systems 
have a deterministic confusion relation. As a consequence any transition u of 
this kind can be matched only by a transition v that is the instance of a net 
action e for which | *e | = 1, and due to Lemma [3.241 such kind of transitions 
extend a unique transition of any run, keeping the two extended runs ttq.u and 
TTi.v not only locally synchronous but also globally synchronous. 

For the second case, suppose that u depends on a set {cg, Gq, e™} of 
elements of the poset induced by tto, i.e., Ve G {cg, e§, eQ'}.(e, u) ^ Iq, and 
there is at least one eg that was related to some of tti while constructing the 
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two locally synchronous runs, i.e., Cq — TTo{k) and e^^ — 7ri(fc) for some natural 
number k, but that is not extended in ttq with respect to u as is extended in 
TTi with respect to i.e., which makes the two induced posets not isomorphic 
because (e§,u) ^ Iq whereas {ei,v) S Ii- 

For the same reasons given in the first case, v cannot depend on only one 
transition in tti. On the contrary it must depend on at least two transitions, one 
of which must have the same label as Cq and e^; let e" be such a transition. 
As in the first case, w.l.o.g. the other transition can be g{Tri). Then, we have 
that V causally depends on e" and is independent of , which is independent of 
e". But this is impossible since ^(e") = 6{ei) and there is no auto-concurrency. 
Therefore, both runs must be extended in a synchronous way in this case as well. 

Finally, for the third case notice that the arguments given before apply here 
as well, regardless of the kind of transition under consideration since the two 
properties in the former cases still hold: on the one hand, any two transitions 
equally labelled are always in conflict and causally depend (locally) on only one 
transition of any run; and, on the other hand, whenever is enabled a transition 
that is an instance of a net action whose preset is not a singleton, then that 
transition is the only one enabled with such a label. 

As a consequence, any transition v must extend the poset induced by tti in 
the same way as u extends the poset induced by ttq, i.e., Vfc £ {1, | ttq |} one 
has that (7ro(fc),u) ^ Iq iff (7ri(fc),w) ^ /i, making the two posets isomorphic in 
all cases and for all pairs (7ro,7ri) of locally synchronous runs of any length. □ 

Informally, one can say that the arguments in the proof just given go through 
because any 'extra-concurrency' in one of the systems with respect to the other 
can be recognised since there is no auto-concurrency, and any 'extra-causality' 
can be recognised since, in S systems, any two transitions enabled at the same 
time and equally labelled must be in conflict and causally depend on one tran- 
sition in any run. 

Corollary 3.26 (Logical completeness) C ^hpb on S systems. 
Proof. From Lemmas 13.231 and 13.251 □ 
Theorem 3.27 (Pull logical definability) ^cc^ = ^hpb on S systems. 
Proof. Immediate from Lemma 13.221 and Corollary 13.261 □ 
Corollary 3.28 is decidable on S systems. 

Proof. Follows from Theorem 13.271 and the fact that ^hpb is decidable [21] . □ 

The previous theorem shows that for the class of S systems the notion of 
'local' causality defined by £^ captures the stronger notion of 'global' causality, 
which is captured by ^hpb in arbitrary classes of models of true-concurrency. 

This result can have interesting practical applications. For instance, the com- 
plexity of deciding whether two systems are hp bisimilar, i.e., that they posses 
the same causal properties, is EXPTIME-complete [H]; since verifying that two 
partial order system systems satisfy the same set of £^ properties requires one to 
check only related 'localities' then the problem may be computationally easier. 
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A Partial Result on the Logical Equivalence Induced by L^. Although 
the equivalence induced by is analysed in the following section using game- 
theoretical arguments, we first present a simple preliminary result that relates 
both with '^hhpb, without using any game-theoretical machinery. 

Consider the counter-example given by Froschle [T3] using Petri nets, which 
provides evidence of the non-coincidence between ^hpb and '^hhpb in free-choice 
systems. Although the systems presented there in Figure 1 and here in the Figure 
[5] are not hhp bisimilar, they cannot be distinguished by any formula. This 
result shows that in general '^hhpb does not coincide with '-^l^ • However, the 
precise relation between ^hhpb and ~Lj, is to be defined in the following section 
using a new form of higher-order logic game for bisimulation. For now, we have 
the following result: 

Proposition 3.29 --l^ ^ ^hhpb- 




Fig. 5. Not inclusion of in ^hhpb- we have that A^i^^B and A^^hhpbB 



The two systems in Figure [5] are free-choice. We have noted that all counter- 
examples we have in which non-coincidence from ^upb and ^l^, arises are due to 
anomalies in the concurrent behaviour of the models related to the phenomenon 
called confusion. For this reason along with the fact the idempotent operator of 

can recognise conflict-free sets of transitions, we believe, but have no proof, 
that these two equivalences actually coincide for the class of free-choice systems. 
So, we finish this section with the following conjecture: 

Conjecture 3.30 = ^hpb on free-choice systems without auto- concurrency. 
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4 Higher-Order Logic Games for Bisimulation 

The logic games for bisimulation presented in Section [5] provide a first- order 
power on the transitions that are picked when playing the game. In this section 
we introduce a bisimulation game that gives the players higher- order power on 
the sets of transition in the game board. Since such games may be too powerful 
without restrictions, we consider higher-order games for bisimulation where this 
higher-order power is restricted to simple characteristic sets of transitions in the 
board. Moreover, since these games are intended to be used in the analysis of 
modal logics, then such a higher-order power is also restricted to a local setting. 

In particular, in this section we want to define higher-order logic games for 
bisimulation that help us understand the bisimulation equivalence induced by 

, and how this logical equivalence relates to the best known history- preserving 
bisimilarities for concurrency. To this end, we consider games with monadic 
second-order power on conflict-free sets of transitions, and show that such games 
can both capture the logical equivalence induced by and be related to the 
bisimulation games that characterise hpb and hhpb in a very natural way. The 
higher-order logic game for bisimulation defined here is a refinement of the bisim- 
ulation game first presented in [IB] for SFL, a fixpoint logic similar to L^. 

4.1 Logical Correspondence 

In this section we give a game-theoretical characterisation of the equivalence 
that induces by defining a characteristic bisimulation game for it. As we 
already know that the game for must be at least as powerful as the game 
for hpb, since such a bisimilarity is captured by a syntactic fragment, then it 
is natural to design a game that extends the (first-order) bisimulation game for 
hpb. Here we do so. The game presented in this section conservatively extends 
the hp bisimulation game, and therefore the usual game for modal logic. We 
show that this bisimulation game, which we call 'trace history-preserving' (thp) 
bisimulation game, characterises the logical equivalence induced L^. 

More importantly, we show that, on S'-systems, the equivalence relation in- 
duced by is strictly stronger than ^hpb and strictly weaker than ^hhpb- We 
also show that the game characterising i-e., the thpb game, is decidable in 
finite systems, a result that contrasts with hhpb games, which are undecidable 
on arbitrary finite models [23]; whether ^hhpb is decidable on S-systems is an 
open question. These features amongst others make the game introduced here, 
and consequently the bisimulation equivalence induced by L^, an interesting 
candidate for an equivalence for systems with partial order semantics. 

But, before presenting the game let us introduce a final definition that 
is related to the role of support sets as locally identifiable sets of concurrent 
transitions, i.e., of confiict-free sets of transitions. 

Definition 4.1 Two sets of transitions i?i and i?2 are said to be history- 
preserving isomorphic with respect to a pair of transitions {tm,tn) if, and only 
if, there exists a bijection B between them such that for every (^1,^2) £ ^8, if 
tm < ti (resp. tm ti) then tn < t2 (resp. tn ^2)- < 
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Notice that any infinite play of an lipb game wliere Eve wins always induces 
a sequence of history-preserving isomorphic sets, where each set is a singleton. 
This follows from the fact that if this were not the case then Adam could win 
by choosing a transition in either Ri or i?2 such that the hp bisimulation would 
no longer be synchronous. We are now ready to define thpb games. 

Definition 4.2 (Trace history-preserving bisimulation games) Let the 

pair (7ri,7r2) be a configmation of the game Q{%i,%2)- The initial configuration 
of the game is (e, e). There are two players, Eve and Adam, and Adam always 
plays first and chooses where to play before using any rule of the game. The 
equivalence relation Rthpb is a trace history-preserving (thp) bisimulation, ^thpbj 
between Ti and T2 iff it is an hp bisimulation between Ti and I2 and: 

— (Base case) The initial configuration (e,e) is in Rthpb- 

~ i^thpb rule). Before Adam chooses a transition using the ^hpb rule, he can 
also restrict the set of available transitions by choosing either in tti or 772 a 
maximal trace to be the new set of available choices. Then, Eve must choose 
a maximal set in the other component of the configuration. 

2^1 ~t/»pf) 2^2 iff Eve has a winning strategy for the thpb game C7(Ti, T2). < 

Lemma 4.3 // Eve has a winning strategy for every play in the trace history- 
preserving bisimulation game Q{1i,l2), then Xi '^l^ 2^2- 

Proof. By contradiction suppose that Eve has a winning strategy and P y^^^ Q, 
where P = {M,t) and Q = {N,r) are two processes of Ti and I2, respectively. 
There are two cases. Suppose that Adam cannot make a move. This means that 
both P 1="^^ [—] S and Q 1="^^ [—] S only, which is a contradiction. The other 
case is when Eve wins in an infinite play. Since induces an hp bisimilarity 
and the thpb game conservatively extends the hpb game, w.l.o.g. we can consider 
only the case when the rule ^thpb is necessarily played. 

Then, let P \='^^ {^)(l>i that, by hypothesis, is not satisfied by Q. By the 
satisfaction relation cither M is already a maximal trace or there is a maximal 
trace M' such that M' C M. Additionally, such a maximal trace cannot be 
recognised from N. However, this is not possible since Eve can always find such 
a support set by hypothesis. 

Thus, the only other possibility is that the support set can be constructed 
but a synchronous transition in it cannot be found. But this also leads to a con- 
tradiction because the support sets that Eve chooses arc, additionally, history- 
preserving isomorphic to the ones that Adam chooses. Therefore all properties 
that include ((8)) must be satisfied at this stage and the the game has to proceed 
to the next round. However, since the play will continue forever, this holds for all 
reachable processes, and therefore, all formulae containing ((g)) that are satisfied 
in P must also be satisfied in Q, which is again a contradiction. □ 

Corollary 4.4 (Soundness). Ifli t^l^ I2, then Adam has a winning strategy 
for every play in the trace history-preserving bisimulation game Q{1i,l2)- 
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Lemma 4.5 (Completeness). Ifli ^l^, '^2, then Eve has a winning strategy 
for every play in the trace history-preserving hisimulation game f/(Ti,T2). 

Proof. By constructing a winning strategy for Eve based on the fact that Ti ^^l^ 
T2. For the same reasons given previously, w.l.o.g., it is possible to consider only 
the case when Adam uses the ^thpb rule. 

So, suppose that Adam is able to choose a maximal set M enabled at P = 
(M, t) , where P is a process in the stateless maximal process space & associated 
with Ti. This implies that P 1='^^ 0, where </) = {®)4'i for some formula (j) 
with support set M. By the hypothesis, for some process Q = {N,r) that is 
thp bisimilar to P, it must be true that Q (f> as well, and therefore Eve 
can choose a maximal set N which is the support set for ^ in Q = {N, r). Since 
P Q then M and N must be history-preserving isomorphic sets with respect 
to (i, r); otherwise, there would be a simple modal formula differentiating them. 

Then Adam must choose an element of either set of transitions using the 
~?ipb rule, say a transition t' G M. But since M and N are history-preserving 
isomorphic sets with respect to {t,r), then it is always possible for Eve to find 
a transition r' £ N that synchronises as t', forcing the game to proceed to a 
next round. The play, therefore, must either go on forever or stop because Adam 
cannot make a move. In either case Eve wins the game. The dual case is similar 
since Adam can always choose where to play, i.e., in which structure, before 
applying any rule of the game. □ 

The soundness and completeness results give a full game-theoretical charac- 
terisation to the equivalence induced by L^. 

Theorem 4.6 (Game abstraction) Ti ^^l^ T2 iff Eve has a winning strategy 
for the thp hisimulation game Q{'Zi,%2)j conversely, Ti t^l^ '^2 iff Adam has a 
winning strategy for the thp hisimulation game (y(Ti,T2). 

Corollary 4.7 ^i^^=^thpb- 

4.2 Decidability and Determinacy 
Theorem 4.8 ^thpb is decidahle on finite systems. 

Proof. As all other hisimulation games presented in this report, thpb games are 
two-player zero-sum perfect-information (infinite) games whose winning condi- 
tions define 'Borel' sets, thus they are determined [5S]. Alternatively, we can also 
say that since thb games are sound and complete, then they must be determined. 
This means that if Eve does not win a play in the game, then Adam must win 
it. But, since Eve only wins when the two systems are either -equivalent, then 
Adam must win whenever the two systems are not equivalent. 

Moreover, the number of different configurations of any play is always finite, 
provided that the systems are finite. This follows from the fact that in order to 
define a winning strategy for Eve one only needs to analyse the locality of the 
process space where Eve is playing, rather than the whole history of the game. 
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and clearly the number of localities in a finite system is also finite. In particular, 
notice that given a state of a partial order model there is always only a finite 
number of processes and support sets relative to such a state. This feature gives 
a finite size to the set of elements in the first component of a configuration. On 
the other hand, finiteness of the elements in the second component follows from 
the bounded branching property of the models since they are also image-finite. 

Now, when constructing a winning strategy for Adam it is important to 
note that only a finite number of processes must be analysed given a particular 
state of a partial order model. Firstly, notice that a stateless maximal process 
space embeds the immediate history of a play in the transition component of a 
process, and so such information is available locally by exploring a finite number 
of processes given a particular element in the process space. Secondly, the support 
sets that a player can choose given a particular process is also finite and can be 
explored simply by checking all support sets relative to the same either state or 
support set of the process in the last configuration of the game, i.e., all those in 
the same neighbourhood. This analysis must be done for all states of the partial 
order models being compared, but again these sets of states are also finite. 

Finally, since Eve wins when Adam cannot make a move (a finite play easily 
decided) or when a finite set of repeated configurations is visited infinitely often 
(for infinite plays, which are won only by Eve), then it is always possible to 
compute the winning strategies for Eve, and therefore decidability follows. □ 

Corollary 4.9 ^l^^ is decidable. 

Proof. Follows from Theorem and Corollarv HTTl □ 

The previous results let us relate ^hhpb with using game-theoretical 
arguments. As these bisimulation games are conservative extensions of the hpb 
game, they can be compared just by looking at their additional rules with respect 
to the hpb game. Then, only by showing that the additional rule for the hhpb 
game is at least as powerful as the additional rule for the thpb game, and taking 
into account that, by Proposition 13 . 29l ^hhpb and do not coincide, we have: 

Theorem 4.10 -^hhpb C --l^,- 

Proof. Suppose that two systems are hhp bisimilar. We show that they must be 
thp bisimilar as well. The additional rule for the thpb game simply lets Adam 
choose a set of runs to be checked by committing a choice made by Eve. Suppose 
the current configuration of the game is (tti, 712). When Adam uses the additional 
rule of the thpb game, the extended runs that can be checked by Adam have 
the form tt' — iri.wi.a and n" = ■K2-W2-P, where wi and W2 are the sequences 
of transitions in the conflict-free isomorphic sets M and N that Adam and Eve 
have chosen, and a and (3 are any sequence of transitions after them which are 
not in M and not in N , respectively. Now, since M and N only contain conflict- 
free transitions at tti and 7r2, i.e., concurrent transitions at tti and 7r2, they are 
all backwards enabled whenever Adam decides to choose them, and therefore 
they can also be checked by the additional rule of the hhpb game. □ 
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This result allows us to define a new hierarchy of equivalences and games for 
concurrency. The new hierarchy we define here extends the work of Fecher [12] . 



4.3 A New Hierarchy of Equivalences for Concurrency 

An interesting problem is that of having logics capturing bisimulation equiva- 
lences for concurrency. A hierarchy of so-called 'true concurrent' equivalences 
can be found in [12] . Our results define a new hierarchy of equivalences for con- 
current systems, where the bisimilarities induced by (the fixpoint-free fragment 
of) rank above all the decidable equivalences in such a hierarchy. 

Prior to this work, we had that ^hhpb is captured by the Path Logic (PL) of 
Nielsen and Clausen 33 , as well as the well-known result by Milner and Hen- 
nessy that is captured by HML 20 , or what is equivalent, by the fixpoint-free 
fragment of the mu-calculus. Moreover, in a preliminary work to the one reported 
here the author also studied another fixpoint logic quite similar to L^. Such a 
logic, which is called Separation Fixpoint Logic (SFL |18j) also induces a bisim- 
ulation equivalence strictly stronger than hpb and strictly weaker than hhpb on 
S'-systems; such an equivalence is studied in [18| under the name of 'indepen- 
dence' hpb, ^ihpb- The exact relation between ~Lf, and ^ihpb (or equivalently 
'^SFL, the bisimilarity induced by SFL) is however still unknown. 

Just to recall, here we have shown that >CJ^ captures '^upb, the standard 
equivalence for causal systems. Moreover, a new equivalence was introduced and 
shown to be decidable and strictly between '^upb and ^hhpb in terms of discrimi- 
nating power. In Figure [6l ~pl represents the bisimulation equivalence induced 
by PL; moreover, ~erj refers to several other equivalences for concurrency, which 
are not studied in this document. The original hierarchy can be found in [12] . 




Fig. 6. A hierarchy of equivalences for concurrency. The arrow means inclu- 
sion C. 



37 



5 Higher-Order Logic Games for Model-Checking 



In this section we introduce higher-order logic games for model-checking that al- 
low local second-order power on sets of independent transitions in the underlying 
partial order models where the games are played. Since the interleaving seman- 
tics of such models is not considered, some problems that may arise when using 
interleaving representations are avoided and new decidability results for partial 
order models are achieved. The games are shown to be sound and complete, and 
therefore determined. While in the interleaving case they coincide with the local 
model-checking games for the mu-calculus, in a partial order setting they verify 
properties of a number of fixpoint modal logics that can specify in concurrent 
systems with partial order semantics, several properties not expressible with C^. 

The games underpin a novel decision procedure for model-checking all tem- 
poral properties of a class of infinite and regular event structures, thus im- 
proving previous results in the literature. As said before, similar to the case 
of higher-order logic games for bisimulation, the players in this new game are 
given local monadic second-order power on conflict-free sets of transitions. The 
technical details behind the construction of this game follows seminal ideas on 
local model-checking games for as presented by Stirling [46 . In particular, 
this higher-order logic game for mo del- checking is a simple refinement of the 
model-checking procedure first defined in [Tp by Bradfield and the author. 

A higher-order logic game for model-checking t/(9H, 0) is played on a model 
fXH = (T, V), where T = {S,so,T,I,E) is a system, and on a formula 0. The 
game can also be presented as Gm{Ho, 4>), or even as G{Ho, 0) or Giso, 4>), where 
Hq = (X(so), te) is the initial process of © in the model OK. The board in which 
the game is played has the form *8 C 6 x 5^6(0), for a process space S = A" x 21 
of support sets R G X and transitions < G 21 in the system T, and where Sub{4>) 
is the subformula set of </> as given by the Fischer-Ladner closure associated with 
the logic to which (j) belongs. Since we want to define model-checking games for 

we now present the Fischer-Ladner closure of formulae. 

Definition 5.1 (Fischer Ladner closure of formulae) The 'subformu- 
lae' or subformula set Suh{(j)) of a formula is given in the following way: 

Sub{Z) = {Z} 

Sublcjji A 02) = {01 A 02} U 5m&(0i) U Sub{<j)2) 
Subl(j)i V 02) = {01 V 02} U 5w6(0i) U Sub{(j)2) 
Sub{{a)c(f'i) = {(a)c0i} U S'w&(0i) 
Sub{{a)nc4'i) = {(a)nc0i} U Sub{(l)i) 
Sub{[al(bi) ={[a]^0i}U5u6(0i) 
Sub{[a]^^^,) = {{al^cfi}^ SubicI,,) 
S'w6((«))0i) = {(0)01} U S'u&(0i) 
5u6([®]0i) ={[«)] 01 }U5m6(0i) 
Sub{^Z.if)i) ~ {/iZ.0i} U Sub{(l)i) 
Sub{vZ.(j,i) = {vZ.(t)i} U 5^6(01) 
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A play is a possibly infinite sequence of configurations Co, Ci, written as 
{R,t) \- (p or H \- (p whenever possible; each Ci is an element of the board 05. 
Every play starts in the configuration Co — Hq h 0, and proceeds according to 
the rules of the game given in Figure [T] As usual for model-checking games, Eve 
tries to prove that Hq |= ip whereas Adam tries to show that Hq ^ ip. 







s.t. G {/i, i^} 




H \- Z 

(VAR) 


s.t. I^Z.cj) 




^ ' H\- 


3]i: zG{0, 1} 




(A) 


V] i : i G {0, 1} 


(Oc) 




a — S{r), r £ R, t < r 


({ >nc) 




: a = 5{r), r & R, tQr 




[V].: 

(X,r) h 


a = S{r), r £ R, t < r 


au 


(X,r) h </) 


: a = S{r), r e R, tQr 




(J?,t)h{®)0 


[3] M : M C i? 






[V] M : M\^R 



Fig. 7. Model-checking game rules of L^. Whereas the notation [V] denotes a 
choice made by Adam, the notation [3] denotes a choice by Eve; X is the maximal 
set at T(r). 



The rules (FP) and (VAR) control the unfolding of fixpoint operators. Their 
correctness is based on the fact that );^^.(/) = ^\^^^Z.^IZ\, where G {a*, J^}, 
according to the semantics of the logic. Rules (V) and (A) have the same meaning 
as the disjunction and conjunction rules, respectively, in a Hintikka game for 
propositional logic. Rules (( )c), (( )nc), ([ ]c) and ([ are like the rules for 
quantifiers in a standard Hintikka game semantics for first-order (FO) logic, 
provided that the box and diamond operators behave, respectively, as restricted 
universal and existential quantifiers sensitive to the causal information in the 
partial order model. 
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Finally, the most interesting rules are and ([0]). Local monadic second- 

order moves are used to recognize conflict-free sets of transitions in i.e., those 
in the same 'trace'. The use of (0) and [0] requires a player to make a choice, 
locally, on a set of transitions rather than on a singleton set as in the traditional 
games for model-checking. However, such a second-order power is restricted to 
some conflict-free sets of transitions; more specifically, to maximal traces. 

Guided by the semantics of ((g)) (resp. [(g)]), it is defined that Eve (resp. 
Adam) must look for a maximal set M to be assigned to as its support set. 

Definition 5.2 The following rules are the winning conditions that determine 
a unique winner for every finite or infinite play Co, Ci, ... in a game Q{Ho, (j)). 

Adam wins a finite play Co, Ci, C„ or an infinite play Co, Ci, ... iff: 

1. Cn = H'^ Z andH ^V{Z). 

2. C„ = (i?, t) h (a)cV and {(3e, r) : t < r = s ^ s' e R} = 

3. Cn = (R, t) h (a)„cV' and {(X, r) : i r = s A s' G i?} = 0. 

4. Cn = {R, t) h ((8))?A and {{M, t) : M C i?} = 0. 

5. The play is infinite and there arc infinitely many configurations where Z 
appears, such that Z is the least fixpoint of some subformula nZ.tp and the 
syntactically outermost variable in (j) that occurs infinitely often. 

Eve wins a finite play Cq, Ci, Cn or an infinite play Cq, Ci, ... iff: 

1. C„ = ff h Z and ff € V{Z). 

2. Cn = {R,t) h [a]^V and {{X,r) : t < r = s ^ s' € R} = <D. 

3. Cn = (i?, t) h [a]„^ ip and {{X,r) Iter = s ^ s' e R} = 

4. Cn = {R, t) h [®\ i) and {(M, t):MQR} = %. 

5. The play is infinite and there are infinitely many configurations where Z 
appears, such that Z is the greatest fixpoint of some subformula vZ.ijj and 
the syntactically outermost variable in that occurs infinitely often. < 

5.1 Soundness and Completeness 

Let us first give some intermediate results. The statements in this section are all 
either standard modal mu-calculus statements, or standard statements where ad- 
ditional cases for the new operators of need to be checked. We give the state- 
ments in full, and the usual proof outlines, for the sake of being self-contained. 

Let T be a system and C = (i?, t) h (/; a configuration in the game G{Hq, (j)), 
as defined before. As usual, the denotation of a formula in the model 
DJl = (T, V) is a subset of &. We say that a configuration C of Q{Ho,4>) is true 
if, and only if, we have that {R,t) € HV'llv' ^^'^ false otherwise. 

Fact 5.3 is dosed under negation. 

Lemma 5.4 A game Q{Hq,<P), where Eve has a winning strategy, has a dual 
game Q{Ho,^^) where Adam has a winning strategy, and conversely. 



40 



Proof. First, note that since is closed under negation, for every rule that 
requires a player to make a choice on a formula ip there is a dual rule in which 
the other player makes a choice on the negated formula ^ip. Also, note that for 
every winning condition for one of the players in a formula ip there is a dual 
winning condition for the other player in -^tp. Now, suppose Eve has a winning 
strategy tt in the game Q{Hq, cj)). Adam can use tt in the dual game Q{Hq, -i^) 
since whenever he has to make a choice, by duality, there is a rule that requires 
Eve to make a choice in Q{Hq, (p). In this way, regardless of the choices that Eve 
makes, Adam can enforce a winning play for himself. The case when Adam has 
a winning strategy in the game Q {Hq , cj)) is dual. □ 

Lemma 5.5 Eve preserves falsity and can preserve truth with her choices. Hence, 
she cannot choose true configurations when playing in a false configuration. Du- 
ally, Adam preserves truth and can preserve falsity with his choices. Then, he 
cannot choose false configurations when playing in a true configuration. 

Proof. The cases for the rules (A) and (V) arc just as for the Hintikka evaluation 
games for FO logic. Thus, let us go on to check the rules for the other operators. 
Firstly, consider the rule (( )c) and a configuration C = (R.t) h {a)cip, and 
suppose that C is false. In this case there is no a such that t < r <E R and 
(X, r) G IIV'llv' where as usual r is some transition s A g and X is the maximal 
set at r(r). Hence, the following configurations will be false as well. Contrarily, if 
C is true, then Eve can make the next configuration {X, r) \- tp true by choosing a 
transition r = s s' G R such that t <r. The case for (( )„c) is similar (simply 
change < for 0), and the cases for ([ ]^) and ([ ]^^) are dual. Now, consider the 
rule ((8)} and a configuration C = {R,t) h and suppose that C is false. 

In this case there is no maximal trace M such that M QR and {M,t) G HV'llv' 
and hence Eve preserves falsity since the next configuration must be false as 
well. On the other hand, if C is true, then Eve can make the next configuration 
true as well by choosing a maximal set M such that (M, t) \- tp is true as well. 
Finally, the deterministic rules (FP) and (VAR) preserve both truth and falsity 
because of the semantics of fixpoint operators. Recall that for any process H, if 
H G W'^Z.tpW then H G ||V'IU:=||^z.v|| for free variables Z mip. □ 

Lemma 5.6 In any infinite play of a game Q{Hq, (p) there is a unique syntacti- 
cally outermost variable that occurs infinitely often. 

Proof. By contradiction, assume that the statement is false. Without loss of 
generality, suppose that there are two variables Z and Y that are syntactically 
outermost and appear infinitely often. The only possibility for this to happen is 
that Z and Y arc at the same level in (p. However, if this is the case Z and Y 
cannot occur infinitely often unless there is another variable X that also occurs 
infinitely often and whose unfolding contains both Z and Y. But this means 
that both Z and Y are syntactically beneath X, and therefore neither Z nor Y 
is outermost in (p, which is a contradiction. □ 

Fact 5.7 Only rule (VAR) can increase the size of a formula in a configuration. 
All other rules decrease the size of formulae in configurations. 
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Lemma 5.8 Every play of a game Q{Hq, (p) has a uniquely determined winner. 

Proof. Suppose the play is of finite length. Then, the winner is uniquely deter- 
mined by one of the winning conditions one to four fDefinition l5.2p of either Eve 
or Adam since such rules cover all possible cases and are mutually exclusive. 
Now, suppose that the play is of infinite length. Due to Fact 15.71 rule (VAR) 
must be used infinitely often in the game, and thus, there is at least one variable 
that is replaced by its defining fixpoint formula each time it occurs. Therefore, 
winning condition five of one of the players can be used to uniquely determine 
the winner of the game since, due to Lemma WM there is a unique syntactically 
outermost variable that occurs infinitely often. □ 

Definition 5.9 (Approximants) Let Z be the least fixpoint of some formula 
(j) and let a, A G Ord be two ordinals, where A is a limit ordinal. Then: 

For greatest fixpoints the approximants are defined dually. Let Z be the greatest 
fixpoint of some formula (j) and, as before, let a, A G Ord be two ordinals, where 
A is a limit ordinal. Then: 

ZO:=tt, Z"+i = Z^=Aa<A^" ^ 

We can now show that the analysis for fixpoint modal logics [8] can be ex- 
tended to this scenario. The proof of soundness uses similar arguments to that 
in the mu-calculus case, but we present it here in full because it is the basis of 
the decision procedure for model-checking. 

Theorem 5.10 (Soundness) Let 9Jl = (T, V) he a model of a formula (f> in the 
game G{Ho,4>). If Hq ||0||y then Adam wins Hq h (f). 

Proof. Suppose Hq ^ \\<j>\\'v- We construct for Adam a possibly infinite game 
tree that starts in Hq h (j>. We do so by preserving falsity according to Lemma 
15.51 i.e., whenever a rule requires Adam to make a choice then the tree will 
contain the successor configuration that preserves falsity. All other choices that 
are available for Eve are included in the game tree. 

First, consider only finite plays. Since Eve only wins finite plays that end in 
true configurations, then she cannot win any finite play by using her winning 
conditions one to four. Hence, Adam wins each finite play in this game tree. 

Now, consider infinite plays. The only chance for Eve to win is to use her 
winning condition five. So, let the configuration H h i'Z.(j) be reached such that 
Z is the syntactically outermost variable that appears infinitely often in the play 
according to Lemma 15.61 In the next configuration H \- Z, variable Z is inter- 
preted as the least approximant such that H ^ ||^"||v and H G ||.Z"~^|jy, by 
the principle of fixpoint induction. As a matter of fact, by monotonicity and due 
to the definition of fixpoint approximants it must also be true that H G ||Z^||v 
for all ordinals /3 such that /3 < a. Note that, also due to the definition of fix- 
point approximants, a cannot be a limit ordinal A because this would mean that 
H ^ \\Z^ = A/3<A ^^llv and H G for all /3 < A, which is impossible. 
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Since Z is the outermost variable that occurs infinitely often and the game 
rules follow the syntactic structure of formulae, the next time that a configuration 
C" = i?' h Z is reached, Z can be interpreted as in order to make C" false 

as well. And again, if a — 1 is a limit ordinal A, there must be a 7 < A such that 
H' ^ \\Z'^\\'^ and H' G ||Z'''^^||y. One can repeat this process even until \ = u. 

But, since ordinals are well-founded the play must eventually reach a false 
configuration C" — H" h Z where Z is interpreted as Z^ . And, according to 
Definition 15. 9[ Z° :— tt, which leads to a contradiction since the configuration 
C" = H" h tt should be false, i.e., H" G ||tt||y should be false, which is impos- 
sible. In other words, if H had failed a maximal fixpoint, then there must have 
been a descending chain of failures, but, as can be seen, there is not. 

As a consequence, there is no such least a that makes the configuration H h 
Z"' false, and hence, the configuration H h vZ.cj) could not have been false either. 
Therefore, Eve cannot win any infinite play with her winning condition 5 either. 
Since Eve can win neither finite plays nor infinite ones whenever i7o ^ ll<^llv' 
then Adam must win all plays of Q {Hq ,</>). □ 

Remark 5.11 If only finite state systems are considered Ord, the set of ordi- 
nals, can be replaced by N, the set of natural numbers. < 

Theorem 5.12 (Completeness) Let DJl = (T, V) be a model of a formula 4> 
in the game Q{Ho,(j)) . If Hq G \\(t>\\y then Eve wins Hq I~ ((>■ 

Proof. Suppose that Hq G \\4>\\x!- Due to Fact l5.3l it is also true that Hq ^ IH^Hy- 

According to Theorem 15.101 Adam wins Hq I <(j), i.e., has a winning strategy 

in the game Q{Hq, -'(f)). And, due to Lemma 15.41 Eve has a winning strategy in 
the dual game Q{Hq, (f)). Therefore, Eve wins Hq (j) ii Hq £ \\4i\\'^ . □ 

Theorems 15.101 and 15.121 imply that the game is determined. Determinacy 
and perfect information make the notion of truth defined by this Hintikka game 
semantics coincide with its Tarskian counterpart. 

Corollary 5.13 (Determinacy) For every model- checking game Q{HQ,(j}) ei- 
ther Adam or Eve has a winning strategy to win all plays in the game. 

5.2 Local Properties and Decidability 

We have shown that the higher-order logic games designed to model-check 
properties of concurrent systems with partial order semantics are still sound 
and complete even when players are allowed to manipulate sets of independent 
transitions. Importantly, the power of these games, and also of L^, is that such 
a second-order quantification is kept both local and restricted to transitions in 
the same trace. We now show that such model-checking games enjoy several 
local properties that in turn make them decidable in the finite case. Such a 
decidability result is used later on to extend the decidability border of model- 
checking a category of partial order models of concurrency. 
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Proposition 5.14 (Winning strategies) The winning strategies in the higher- 
order logic games for model- checking properties are history-free. 

Proof. Consider a winning strategy tt for Eve. According to Lemma 15.51 and 
Tlieorem 15.121 suclr a strategy consists of preserving trutlr with, tier clioices and 
annotating variables witli tlreir approximant indices. But neither of these two 
tasks depends on the history of a play. Instead they only depend on the current 
configuration of the game. In particular notice that, of course, this is also the 
case for the structural operators since the second-order quantification has only 
a local scope. Similar arguments apply for the winning strategies of Adam. □ 

This result is key to achieve decidability of these games in the presence of 
the local second-order quantification on the traces of the partial order models 
we consider. Also, from a more practical standpoint, memoryless strategies are 
desirable as they are easier to synthesize. However, synthesis is not studied here. 

Theorem 5.15 (Decidability) The model- checking game for finite systems 
against specifications is decidable. 

Proof. Since the game is determined, finite plays are decided by winning con- 
ditions one to four of either player. Now consider the case of plays of infinite 
length; since the winning strategies of both players are history-free, we only need 
to look at the set of different configurations in the game, which is finite even 
for plays of infinite length because of the following simple argument. In a finite 
system an infinite play can only be possible if the model is cyclic. But, since 
the model has a finite number of states, there is an upper bound on the number 
of fixpoint approximants that must be calculated (as well as on the number of 
configurations of the game board that must be checked) in order to ensure that 
either a greatest fixpoint is satisfied or a least fixpoint has failed. As a conse- 
quence, all possible history-free winning strategies for a play of infinite length 
can be computed, so that the game can be decided using winning condition five 
of one of the players. Note that in general computing (pure) history-free winning 
strategies of determined games played in a finite system is always possible. □ 

The Interleaving Case. Local properties of this higher-order games can also 
be found in the interleaving case, namely, they coincide with the local model- 
checking games for the modal mu-calculus defined by Stirling and presented in 
Section [2] Note that interleaving concurrency can be cast using by both 
syntactic and semantic means. In the former case this is done by considering 
only its £^ fragment, whereas in the latter case this is achieved by considering 
directly the (one-step) interleaving semantics of a concurrent system. 

The importance of this feature of is that even having constructs for in- 
dependence and a natural partial order semantics, nothing is lost with respect 
to the main local approaches to interleaving concurrency. Let us recall that 
£^ can be obtained from by considering the [(®)]-free language and using 
only HML modalities, i.e., making a strict use of the following abbreviations: 
(a)0 = (a)c</' V {a)nc(l> and [a] cj) = [a]^ 4> A [a]„^ (j). 
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Proposition 5.16 If either a model with an empty independence relation or the 
syntactic fragment o/L^ is considered, then the higher-order model- checking 
games for degenerate to the local model- checking games for C^. 

Proof. Let us consider the case when the syntactic fragment of is con- 
sidered. The first observation to be made is that the { ((8)) , [o] }-free fragment 
of only considers maximal sets. Hence if a transition can be performed then 
it is always in the support set currently available. Therefore, support sets in X 
can be disregarded and only the set of states of the systems are needed. Also, 
without loss of generality, consider only the case of the modal operators since 
the and boolean and fixpoint operators have the same denotation. 

\\{a)<t>U = {(S'i) (^Sxm\3qeS.t<r = s^qA{q,r)e M^} 
U {(s, t) e S X ^ \ 3q e S. t e r ^ s q A {q,r) e UW^} 

The second observation is that when computing the semantics of the combined 
operator (a), the conditions t < r, i.e., {t,r) ^ /, and tQr, i.e., (t,r) G /, com- 
plement each other and become always true since there are no other possibilities. 
Thus, the second component of every pair in S* x 21 can also be disregarded. 

\\{a)m = {seS\3qeS.s^qAqeU\\v} 

The case for the box operator [a] is similar. Now, note that the new game rules 
and winning conditions enforced by these restrictions coincide with the ones 
defined by Stirling for the local model-checking games of In particular, the 
new game rules and winning conditions for the modalities are as follows. 

In a finite play Co,Ci,...,C„ of G{Ho,<P), where C„ has a modality as a 
formula component, Adam wins iff C„ — s h {a)il) and {g : s g} = 0, and 
Eve wins iff C„ = s h [a] ^ and {q : s —> q} — Since winning conditions for 
infinite plays do not depend on modalities, they remain the same. Furthermore, 
the game rules for modal operators reduce to: 

((» [3]a: s^q {[]) [V]a : s^q 

Clearly, the games just defined are equivalent to the ones defined by Stirling 
[46j . The reason for this coincidence is that when a modality {a)4> (resp. [a]4>) 
is encountered, only Eve (resp. Adam) gets to choose both the next subformula 
and the transition used to verify (resp. falsify) the truth value of (p. 

Now, let us look at the case when a model with an empty independence 
relation is considered. In such a case the rule ([ ]„^) becomes trivially true and 
the rule (( )„c) trivially false since in an interleaving model all pairs of transitions 
{t,r) such that r(i) = a{r) are in <. Moreover, in such models the rules {{®)) 
and {[®\) are "absorbed" by rules (( )c) and ([ J^^^), respectively, because all 
maximal sets are necessarily singletons, and as before because all transitions are 
in < , whereas is empty. For these reasons the elements that belong to the sets 
X and 21 need no longer be considered and the rules ([ ]^) and (( )c) become ([ ]) 
and (( )), respectively. The other rules remain the same. □ 
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5.3 Model-Checking Infinite Posets 

In this subsection we use the higher-order mo del- checking games for to push 
forward the decidability border of the mo del- checking problem of a particular 
class of partial order models, namely, of the class of regular event structures 
defined by Thiagarajan |50) . More precisely, we improve previous results by 
Penczek [3D] and Madhusudan ^\ in terms of temporal expressive power. The 
solution presented here is the version of the same result obtained in [TH] . 

on Regular Trace Event Structures. As we have shown previously, 
higher-order logic games for model-checking can be played in either finite or 
infinite state systems (with finite branching). However, decidability for the games 
was proved only for finite systems. Therefore, if the system at hand has recursive 
behaviour and, moreover, is represented by an event structure, then the TSI 
representation of it may be infinite, and decidability is not guaranteed. 

We now analyse the decidability of the model-checking games for against 
a special class of infinite, but regular, event structures called 'regular trace' event 
structures. This class of systems was introduced by Thiagarajan [SD' in order to 
give a canonical representation to the set of Mazurkiewicz traces modelling the 
behaviour of a finite concurrent system. The model-checking problem for this 
class of models has been studied elsewhere j27l40| , and shown to be rather diffi- 
cult. In the reminder of this section we show that model-checking properties 
of this kind of systems is also decidable. 

As described before, an event structure € — {E, ^, jj, 77, 2J) determines a TSI 
T = {S, so,T, I, S) by means of an inclusion functor from the category £S of 
event structures to the category TSI of TSI. The mapping we presented before 
was given in a set-theoretic way since such a presentation is more convenient for 
us. A categorical definition is given by Joyal, Nielsen, and Winskel, which can 
be found in [22]. Let A : £S TSI be such a construction. 

Definition 5.17 A regular trace event structure is a labelled event structure 
<B = {E, =4, tt: ^) 9'S in Definition 12. 3[ where for all configurations C of £, and 
for all events e £ C, the set of future non-isomorphic configurations rooted at e 
defines an equivalence relation of finite index. < 

Let Conf be the set of configurations of €. Notice that the restriction to 
image-finite models implies that the partial order ^ of € is of finite branch- 
ing, and hence for all C G Conf, the set of immediately next configurations is 
bounded. Also notice that the set of states S of the TSI representation of an 
event structure € is isomorphic to the set Conf of configurations of €. 

A Computable Folding Functor from Event Structures to TSI. In order 
to overcome the problem of dealing with infinite event structures, such as the 
regular trace event structures just defined, we present a new morphism (a func- 
tor) that folds a possibly infinite event structures into a TSI. This way, a finite 
process space can be constructed so as to give the semantics of L^^ formulae, 
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and hence, play a model-checking game for this logic in a finite board. Such a 
morphism and the procedure to effectively compute it is described below. 

The Quotient Set Method. Let Q = {Conf /^) be the quotient set representation 
of Conf by ~ in a finite or infinite event structure £, where Conf is the set 
of configurations in £ and ^ is an equivalence relation on such configurations. 
The equivalence class [X]^ of a configuration X e Conf is the set {C G Conf \ 
C ^ X}. A quotient set Q where ~ is decidable is said to have a decidable 
characteristic function, and will be called a computable quotient set. 

Definition 5.18 A regular quotient set (Conf /^) of an event structure 2; is a 
computable quotient set representation of € with a finite number of equivalence 
classes. o 

Having defined a regular quotient set representation of €, the morphism 
A : £S — ^ TSI above can be modified to defined a new map A/ : £S — >■ TSX 
which folds a (possibly infinite) event structure into a TSI: 

S = {[C]^ C Conf I 3[X]^ €Q = [Conf/^). C ^ X] 
T = {([C]^, a, [C]^) & S X S X S\3e€E. 7]{e) = a,e^C,C' = CU {e}} 
I = {{{[CiU, a, [C[]^), ([C2]^, 6, [C^]^)) e T X T I 3(ei, 62) e co. 
r?(ei) = o, r?(e2) = 6, C( = Ci U {ei}, = C2 U {62}} 

Lemma 5.19 Let 1 be a TSI and (E an event structure. If 'Z = A/(£), then the 
models (T, V) and (€, V) satisfy the same set ofh^ formulae. 

Proof. The morphism A j : £S — > TSI from the category of event structures to 
the category of TSI has a unique right adjoint e : TSI — > £S, the unfolding 
functor that preserves labelling and the independence relation between events, 
such that for any (£ we have that (£' = (e o Ay ) (£), where £' is isomorphic to 
£. But formulae do not distinguish between models and their unfoldings, 
and hence cannot distinguish between (1, V) and (£', V). Moreover, formulae 
do not distinguish between isomorphic models equally labelled, and therefore 
cannot distinguish between (£', V) and ((£, V) cither. □ 

Having defined a morphism A/ that preserves L^^ properties, one can now 
define a procedure that constructs a TSI model from a given event structure. 

Definition 5.20 Let € = {E, ((, 77, E) be an event structure and {Conf /^) a 
regular quotient set representation of (£. A representative set of (£ is a subset 
of E such that VC G Conf. 3X CEr.C'^X. <i 

Lemma 5.21 Let € be an represented as a regular quotient set {Conf / . Then, 
a finite representative set E^ of £ is effectively computable. 

Proof. Construct a finite representative set £",. as follows. Start with £",. = and 
Cj = Cq = %, the initial configuration or root of the event structure. Check Cj ~ 
Xi for every equivalence class [Xi\^ m Q = {Conf /'^) and whenever Cj ~ Xi 
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holds define both a new quotient set Q' — Q \ [Xi]r^ and a new Ej- — E^^ U Cj . 
This subprocedure terminates because there are only finitely many equivalence 
classes to check and the characteristic function of the quotient set is decidable. 
Now, do this recursively in a breadth-first search fashion in the partial order 
defined on E hy and stop when the quotient set is empty. Since =:5; is of 
finite branching and all equivalence classes must have finite configurations, the 
procedure is bounded both in depth and breath and the quotient set will always 
eventually get smaller. Hence, such a procedure always terminates. It is easy to 
see that this procedure only terminates when Er is a representative set of £. □ 

A finite representative set Er is big enough to define all states in the TSI 
representation of £ when using A/. However, such a set may not be enough to 
recognize all transitions in the TSI. In particular, cycles cannot be recognized 
using Er- Therefore, it is necessary to compute a set Ef where cycles in the TSI 
can be recognized. We call Ef a complete representative set of £. The procedure 
to construct Ef is similar to the previous one. 

Lemma 5.22 Let (£ = (E, f,, r], U) be an event structure and Er a finite rep- 
resentative set of <B. If € is represented as a regular quotient set {Conf /^), then 
a finite complete representative set Ef of £ is effectively computable. 

Proof. Start with Ef — Er, and set £ — Conf{Er), the set of configurations 
generated by Er. For each Cj in Er check in =5! the set Next{Cj) of next con- 
figurations to Cj, i.e., those configurations Cj such that = Cj U {e} for some 
event e in £' \ Cj. Having computed Next{Cj), set Ef = EfU (IJ Next{Cj)) and 
£ = £ \ {Cj}, and stop when £ is empty. This procedure behaves as the one 
described previously. Notice that at the end of this procedure Ef \s complete 
since it contains the next configurations of all elements m. Er. □ 

Temporal Verification of Regular Infinite Event Structures. Based on 
Lemmas 15 . 191 and 15 .221 and on Theorem l5.15[ we can give a decidability result for 
the class of event structures introduced in [50J against specifications. Such a 
result, which is obtained by representing a regular event structure as a regular 
quotient set, is a corollary of the following theorem: 

Theorem 5.23 The model- checking problem for an event structure £ repre- 
sented as a regular quotient set { Conf / ^) against specifications is decidable. 

Proof. Due to Lemma 15.221 one can construct a finite complete representative 
set Ef of E. Then a finite TSI that satisfies the same set of formulae as £ can 
be defined by using the folding map A/ from event structures to TSI, and using 
Ef instead of E as the new set of events. Since such a morphism preserves all 
properties (Lemma 15. 19p . the model-checking problem for this kind of event 
structures can be reduced to solving the model-checking game for finite TSI, and 
hence for finite systems in general, which due to Theorem l5.15l is decidable. □ 
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Regular Event Structures as Finite CCS Processes. A regular event 
structure can be generated by a finite concurrent system represented by a finite 
number of (possibly recursive) CCS processes [311521 . Syntactic restrictions on 
CCS that generate only finite systems have been studied. Notice that the com- 
bination of the syntactic restriction to finite CCS processes and the semantic 
restriction to image-finite models give the requirements for regularity on the 
event structures that are generated, in particular, of the regular trace event 
structures defined before. 

Now, without any loss of generality, consider only deterministic CCS pro- 
cesses without auto-concurrency. A CCS process is deterministic if whenever 
a.M + b.N, then a ^ b, and similarly has no auto-concurrency if whenever 
a.M II b.N, then a ^ b. Notice that any CCS process P that either is nonde- 
terministic or has auto-concurrency can be converted into an equivalent process 
Q which generates an event structure that is isomorphic, up to relabelling of 
events, to the one generated by P. 

Eliminating nondeterminism and auto-concurrency can be done by rela- 
belling events in p(P), the powerset of CCS processes of P, with an injective 
map 6 : E ^ E* (where E* is a set of labels and E C E*), and by extending 
the 'synchronization algebra' [55] according to the new labelling of events so as 
to preserve pairs of (labels of) events that can synchronize. Also notice that the 
original labelling can always be recovered from the new one, i.e., the one associ- 
ated with the event structure generated by Q, since 6 is injective and hence has 
inverse 9^^ : E* ^ E . 

Finite CCS Processes as Regular Quotient Sets. Call ESProc{P) the 
set of configurations of the event structure generated by a CCS process P of the 
kind described above. The set ESProc{P) together with an equivalence relation 
between CCS processes =ccs given simply by syntactic equality between them is 
a regular quotient set representation {ESProc{P) / =ccs) of the event structure 
generated by P. 

Notice that since there are finitely many different CCS expressions, i.e., p{P) 
is finite, then the event structure generated by P is of finite-branching and the 
number of equivalence classes is also bounded. Finally, =ccs is clearly decidable 
because the process P is always associated with the configuration and any other 
configuration in ESProc{P) can be associated with only one CCS expression in 
p{P) as they are deterministic and have no auto-concurrency after relabelling. 

The previous simple observations lead to the following result: 

Corollary 5.24 Model- checking regular trace event structures against spec- 
ifications is decidable. 

A similar result was given by Bradfield and the present author [19] using SFL. 
However, as stated previously, since it is still unknown the exact relationship 
between the expressivity of SFL and L^, then we are, as to now, unable to decide 
which of the two results is stronger in terms of temporal expressive power. It 
may well be that SFL and L^, are actually equi-expressive on S'-systems. 
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6 Discussion and Related Work 

The work presented here is related to three connected topics: mu-calculi, bisim- 
ulation equivalences, and model-checking problems. We were particularly inter- 
ested in mu-calculi as fixpoint extensions of modal logic, and bisimulation and 
model-checking problems from a game-theoretic perspective. Our results relate, 
mainly, to work on these topics with respect to partial order models of concur- 
rency; however, since we also embrace interleaving systems in a very natural way, 
in some cases pointers to similar work in the interleaving context are given. 

Mu-Calculi. This work can be related to logics with partial order semantics 
at large. Formulae of these logics, usually, are given denotations that consider 
the one-step interleaving semantics of a particular partial order model. Following 
this approach no new logical constructions have to be introduced; unfortunately, 
in this case the explicit notion of concurrency in the models is completely lost. 

Thus, the usual approach when defining logics with partial order models is to 
introduce operators that somehow capture the independence information on the 
partial order models. In most cases that kind of logical independence is actually 
a sequential interpretation of concurrency, which is based on the introduction 
of past operators sensitive to concurrent transitions and a mixture of forwards 
and backwards reasoning; however, this can lead to undecidability results with 
respect to the decision problems related to such logics, e.g., with respect to their 
satisfiability, equivalence, or model-checking problems (cf. ^33 38 39 41 ). 

Several logics with the characteristics described above whose semantics are 
given using partial order models (as well as their related decision problems) can 
be found in |39l41j . and the references therein. Other logics with partial order 
semantics that do not appear there can be found, e.g., in [1133] . but the literature 
includes many, many more references. However, it is worth saying that not all 
such logics are extensions of modal logic or even mu-calculi. In some cases, they 
are variations of the usual linear-time and branching-time temporal logics. 

At a more philosophical level, this study is also similar to that in [5 16) . a 
work primarily on mathematical logic using game logics for concurrency. In these 
works the main goal is to explicitly capture what we call 'model independence', 
i.e., explicit concurrency in the models, in a logical way with the use of Henkin 
quantifiers, which are partial order generalisations of the usual quantifiers in 
classical logic. More precisely, in [S] different properties of a number of fixpoint 
modal logics based on Hintikka and Sandu's 'Independence-Friendly' (IF) logic 
are discussed, and in [5] the bisimulation equivalence induced by one of such 
logics, namely of IF modal logic (IFML), is thoroughly studied. Their main 
motivation closely relates to ours, especially because of their interest in the 
bisimulation equivalences induced by such logics as well as the use of games. 

Bisimulation. A great deal of work has been done on the study of bisim- 
ulation equivalences captured by modal and temporal logics, e.g., as done by 
Milner and Hennessy [50] of by De Nicola and Vaandrager [32] in and interleav- 
ing context. Here, we have proposed a generic approach in which the standard 
bisimilarity for interleaving concurrency, namely sb, is captured by syntactic and 
semantics means using and its associated (higher-order) bisimulation game. 
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Also, the work by Joyal, Nielsen, and Winskel [55] relates to ours. Whereas in 
[22] they proposed a categorical approach to defining an abstract or model inde- 
pendent notion of bisimulation equivalence for several concurrent systems, here 
we have proposed a logical one, following the way of reasoning used in |20I32| . 
but in our case in a partial order setting instead of an interleaving one. Moreover, 
the bisimilarities we studied here are all decidable, a result that contrasts with 
the work by Nielsen and Clausen [33] , where a concretization of the abstract no- 
tion of bisimulation defined in j22) is given a logical as well as a game-theoretic 
characterisation, which turned out to be undecidable. 

As briefly mentioned before, Bradfield and Froschle l6| also studied the bisim- 
ulation equivalence induced by IFML using game-theoretic techniques. They 
followed a logical approach, which is in spirit quite close to our work. Unfortu- 
nately, the bisimulation equivalences induced by the logic studied there do not 
coincide, in most cases, with the standard bisimilarities for partial order models 
of concurrency, not even when restricted to particular classes of systems. 

Model-checking. Model-checking games have been an active area of re- 
search in the last decades (cf. |16I51) ). They have been studied from both theo- 
retical and practical perspectives. For instance, for the proper definition of their 
mathematical properties [17125126] . or for the construction of tools for property 
verification, e.g., see [14145] . Most approaches based on games have considered 
either only interleaving systems or the one-step interleaving semantics of partial 
order models. Our work differs from these approaches in that we deal with games 
played on partial order models without considering interleaving simplifications. 
Although verification problems in finite partial order models can be undecidable, 
the games presented here are all decidable in the finite case. 

Regarding mo del- checking in a broader sense, many procedures, not only 
game-theoretic, have been studied elsewhere for concurrent systems both with 
interleaving models and with partial order semantics. For instance, see [l|9|41j . 
as well as the references therein, for several examples of various techniques and 
approaches to model-checking concurrent systems. However, since our main mo- 
tivation was to develop a decision procedure to verify concurrent systems with 
partial order models, only the techniques considering these kinds of systems re- 
late to our work, though, as said before, such procedures are not game-theoretic. 

With respect to the temporal verification of event structures, previous studies 
have been done on restricted classes. Closer to our work is j27|40j . Indeed, model- 
checking regular trace event structures has turned out to be rather difficult and 
previous work has shown that verifying monadic second-order (MSO) proper- 
ties on these structures is already undecidable. For this reason weaker (classical, 
modal, and temporal) logics have been studied. Unfortunately, although very 
interesting results have been achieved, especially in [27] where CTL* temporal 
properties can be verified, previous approaches have not managed to define de- 
cidable theories for a logic with enough expressive power to describe all usual 
temporal properties as can be done with in the interleaving case, and there- 
fore with when considering partial order models for concurrency. 
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The difference between the logics and decision procedure presented in [271 and 
the approach we presented here is that in [27 a global second-order quantification 
on conflict-free sets in the partial order model is permitted, whereas only a local 
second-order quantification in the same kind of sets is defined here, but such 
a second-order power can be embedded into fixpoint specifications, which in 
turn allows one to express more temporal properties. In this way we are able 
to improve, in terms of temporal expressive power, previous results on model- 
checking regular trace event structures against a branching-time temporal logic. 

Finally, it is important to point out that most of the results we have presented 
here with respect to the logics as well as to the bisimulation and model-checking 
games have been also obtained using SFL (instead of as in this report); such 
results were first presented in [18J19! • This report is based on the work presented 
there, but it also contains some modifications, corrections, and refinements. 

7 Concluding Remarks 

We have given a logical characterisation to the dualities that can be found when 
analysing locally the relationships between concurrency and conflict as well as 
concurrency and causality in partial order models of concurrency. This char- 
acterisation aims at defining relationships between equivalences that take into 
account the explicit notion of independence when considering partial order se- 
mantics, and which can be defined at the level of the models as well as at the 
level of the logics. This study led to several positive results with respect to the 
bisimulation and model- checking problems associated with such logics and mod- 
els. It also delivered new forms of logic games for verification where the players 
are given higher-order power on the sets of elements they are allowed to play. 

A key ingredient of the work reported here is that we allow a free interplay 
of fixpoints and local monadic second- order power in both the mu-calculi and 
higher-order logic games for verification we have presented. Our results, together 
with the analysis of some of the related work, suggest that restricting the quan- 
tification power to conflict-free sets (of transitions) in partial order models of 
concurrency may be a sensible way of retaining decidability while still having 
good expressivity. These features, along with the fact that the mu-calculi and 
logic games we have defined for partial order models generalise those for inter- 
leaving concurrency, make our logic-based game-theoretic framework a powerful 
alternative approach to studying different kinds of concurrent systems uniformly, 
regardless of whether they have an interleaving or a partial order semantics. 
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